Re: delete computer
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 27 May 2008 10:56:52 -0500
"sputnik" <sputnik@xxxxxxxxx> wrote in message
news:egYJX8AwIHA.576@xxxxxxxxxxxxxxxxxxxxxxx
Al Dunbar wrote:
"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:e5XvVv0vIHA.552@xxxxxxxxxxxxxxxxxxxxxxx
sputnik wrote:
I have a vbscript that check the entire AD for a specific computerYour script can check the operatingSystem attribute to make sure the
name, and then the script deletes the computer name.
What security measures can I put in place so Domain Controllers or
member servers are not deleted ?
I am a little concerned here !
string "server" is not found. I would make the check case insensitive
(by using LCase for example).
Who will be running this script? If it is workstation administrators,
then I'd strongly suggest limiting the their ability to delete computer
objects to workstations, and specifically not allow them to delete
servers of any type. Ideally, the ability to delete domain controllers
would belong only to domain admins; for member servers this might be
expanded somewhat, or left at domain admins only.
/Al
This script will be run by our workstation/desktop admins.
Out of interest any specific way of doing this that you had in mind. I
plan to use 2 methods for taking care of this. If you can add ideas that
would be great.
1. I delegate control to manage workstations on the OU level and will omit
the Domain Controllers OU from any delegating rules/policies. All OU's
where there is a possibility for workstations that require managememnt
will be delegated as mentioned.
2. And as a second measure the script can ommit deleteion of objects
within the Domain Controllers OU.
This may be an issue if we start placing domain controllers in other
containers scattered through AD.
How would you limit ability to delete computer objects only as oposed to
domain controllers ?
Cheers,
Best is to use ACL's on the Domain Controllers OU, etc, so people don't have
permission to delete. There are ways to find DC's and servers, but given
just the machine name the best way I know of to make sure it is not a DC or
server is to make sure the string "server" is not found in the value of the
operatingSystem attribute of the computer object. All DC's and member
servers will have a Server OS.
Given the NetBIOS name of the computer, you can use the NameTranslate object
to get the Distinguished Name. This allows you to bind to the object. You
can then retrieve the Parent DN and check if that is the Domain Controllers
OU. However, I would expect member servers to be anywhere. You may still
need to use NameTranslate, but once you bind to the object the
operatingSystem attribute is easiest. If you connect to the computer
remotely with WMI you can retrieve the Role from the Win32_ComputerSystem
class, but this is more work and requires that the machine be up and
accessible.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
- Follow-Ups:
- Re: delete computer
- From: sputnik
- Re: delete computer
- References:
- delete computer
- From: sputnik
- Re: delete computer
- From: Richard Mueller [MVP]
- Re: delete computer
- From: Al Dunbar
- Re: delete computer
- From: sputnik
- delete computer
- Prev by Date: Dictionary key and item manipulation
- Next by Date: Re: delete computer
- Previous by thread: Re: delete computer
- Next by thread: Re: delete computer
- Index(es):
Relevant Pages
|
Loading
