Re: Active Directory Computer Attributes

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Some of the issues involved.

1. Startup (and Shutdown) scripts run before there is any user.
2. Although Startup scripts run with System credentials on the local
computer, they have the permissions of the computer object elsewhere, such
as in AD. The computer object lacks permissions to update the location
attribute.
3. Normal users also lack permission to update the location attribute of
computer objects, whether in a logon script or otherwise.
4. There is no way to tell how old an attribute value is, unless the value
includes the date.

You need to grant permissions to either users or computers to update the
attribute. It might as well be the entity that knows the information, which
is this "trusted" user. If all of the computers are in an OU, you can grant
permissions to a domain group of users (or computers). The only way to
handle the date issue is to either include the date in the value assigned to
location, or store the date in another attribute.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Anwar Mahmood" <AnwarMahmood@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D5BB735E-7284-42F9-879D-6787EFA19915@xxxxxxxxxxxxxxxx
Hi Richard,

Many thanks for your reply.

We have a fairly dynamic estate of around 5,000 PCs, so I'm looking for
the
computers to update the attribute themselves, just like they populate the
operating system and service pack. I'd like to fill in the location
attribute with a location such as Campus A Building B Room C. If it's
automatic, when the PCs are relocated they will update the directory with
the
new location.

Here's how it might work
1. Recieve a new PC and image it.
2. Authorised user logs on. Script detects the location attribute is
empty,
and asks the user for one.
3. Either script updates it directly (unlikely) or the script writes a
registry value in HKLM.
4. In the computer startup script, another script reads the registry value
and writes it to AD.
5. The script in step 2 checks how "old" the information is. If it's more
than, say, 3 months old, it prompts the user again to provide this
information.
- if the computer hasn't been moved, the user simply confirms it's still
there
- if the computer has been moved, the user provides the new location

I know it's possible to grant rights, to users and do it this way, but I'd
prefer to avoid this and I don't think it's necessary.

Kind regards,

Anwar

"Richard Mueller [MVP]" wrote:

Anwar wrote:

I'd like to set the location attribute on the Active Directory computer
object. The script is fairly straightforward;

Set oADSysInfo = CreateObject("ADSystemInfo")
set oComputer = GetObject("LDAP://"; & oADSysInfo.ComputerName)
oComputer.location = "Site A Building B Floor C Room D"
oComputer.SetInfo

However, the clever bit is to get the computer to update it's own
location
automatically. I know there are probably some clever things that can
be
done
with the new Link Layer Topology Protocol (LLTP) capabilities in
Windows
Vista, but for now I'm considering prompting *trusted* users, which
would
then get written to AD.

By default Active Directory grants SELF read and write permissions to
"Personal Information", which Microsoft concedes is a little vague;

http://msdn.microsoft.com/en-us/library/ms684394.aspx

However, personal information includes the comments field.

I'm trying to set the comments attribute on the computer object. I
thought
my best chance in terms of security was running the script in the
computer
startup or shutdown scripts, but this didn't work. Anyone have any
ideas?
We have a Windows Server 2003 R2 Enterprise domain.

Which attribute of the computer object do you want to update? What do you
want the value to be and where will it come from? If the attribute value
can
be generated automatically, it would make more sense for you do update it
yourself in bulk, either in ADUC, in a script, or using a command line
tool.
The only reason not to do it yourself is because you cannot determine the
required value.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--





.

Relevant Pages

  • Re: Active Directory Computer Attributes
    ... I had grant permissions to Domain Computers to write all properties for all ... If I use a startup script to update the comments attribute, ... the computer object should have rights ...
    (microsoft.public.scripting.vbscript)
  • Re: Active Directory Computer Attributes
    ... MVP Directory Services ... If I use a startup script to update the comments attribute, ... the computer object should have rights ... The computer object lacks permissions to update the location ...
    (microsoft.public.scripting.vbscript)
  • Re: Workstations permissions to its own AD computer object
    ... extensionAttribute of the computer object which relates to the ... I can create the script, but wondered if the rights are there by default ... Logon scripts run with the permissions of the user. ... This link indicates that the extensionAttributes should be in the collection ...
    (microsoft.public.windows.server.active_directory)
  • Re: Computer Config login script from GPO copying file reports permission denied
    ... copies the file from the server to replace it. ... I presumed that the script would run in the security context of the ... Logon scripts run with the credentials (and permissions) of the user. ... permissions of the computer object elsewhere in the domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Workstations permissions to its own AD computer object
    ... I want to use a login script to read the value of the extensionAttribute of the computer object which relates to the workstation the user logs on to. ... Startup scripts run with System privileges on the local computer, and the permissions of the computer object elsewhere in the domain. ... If computer objects need permissions in the domain to run a startup script, I grant the rights to the "Domain Computers" group. ...
    (microsoft.public.windows.server.active_directory)