Re: Active Directory Computer Attributes
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 2 Jun 2008 11:45:56 -0500
I had grant permissions to Domain Computers to write all properties for all
computer objects in the OU before it worked in a startup script for me.
Granting permission to write personal information and write public
information did not work.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
"Anwar Mahmood" <AnwarMahmood@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7F3C4AA7-341F-488C-83BB-39F8548762B1@xxxxxxxxxxxxxxxx
Hi Richard,
If I use a startup script to update the comments attribute, this doesn't
work. According to the KB article, the computer object should have rights
to
do that.
Kind regards,
Anwar
"Richard Mueller [MVP]" wrote:
Some of the issues involved.
1. Startup (and Shutdown) scripts run before there is any user.
2. Although Startup scripts run with System credentials on the local
computer, they have the permissions of the computer object elsewhere,
such
as in AD. The computer object lacks permissions to update the location
attribute.
3. Normal users also lack permission to update the location attribute of
computer objects, whether in a logon script or otherwise.
4. There is no way to tell how old an attribute value is, unless the
value
includes the date.
You need to grant permissions to either users or computers to update the
attribute. It might as well be the entity that knows the information,
which
is this "trusted" user. If all of the computers are in an OU, you can
grant
permissions to a domain group of users (or computers). The only way to
handle the date issue is to either include the date in the value assigned
to
location, or store the date in another attribute.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
"Anwar Mahmood" <AnwarMahmood@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D5BB735E-7284-42F9-879D-6787EFA19915@xxxxxxxxxxxxxxxx
Hi Richard,
Many thanks for your reply.
We have a fairly dynamic estate of around 5,000 PCs, so I'm looking for
the
computers to update the attribute themselves, just like they populate
the
operating system and service pack. I'd like to fill in the location
attribute with a location such as Campus A Building B Room C. If it's
automatic, when the PCs are relocated they will update the directory
with
the
new location.
Here's how it might work
1. Recieve a new PC and image it.
2. Authorised user logs on. Script detects the location attribute is
empty,
and asks the user for one.
3. Either script updates it directly (unlikely) or the script writes a
registry value in HKLM.
4. In the computer startup script, another script reads the registry
value
and writes it to AD.
5. The script in step 2 checks how "old" the information is. If it's
more
than, say, 3 months old, it prompts the user again to provide this
information.
- if the computer hasn't been moved, the user simply confirms it's
still
there
- if the computer has been moved, the user provides the new location
I know it's possible to grant rights, to users and do it this way, but
I'd
prefer to avoid this and I don't think it's necessary.
Kind regards,
Anwar
"Richard Mueller [MVP]" wrote:
Anwar wrote:
I'd like to set the location attribute on the Active Directory
computer
object. The script is fairly straightforward;
Set oADSysInfo = CreateObject("ADSystemInfo")
set oComputer = GetObject("LDAP://"; & oADSysInfo.ComputerName)
oComputer.location = "Site A Building B Floor C Room D"
oComputer.SetInfo
However, the clever bit is to get the computer to update it's own
location
automatically. I know there are probably some clever things that
can
be
done
with the new Link Layer Topology Protocol (LLTP) capabilities in
Windows
Vista, but for now I'm considering prompting *trusted* users, which
would
then get written to AD.
By default Active Directory grants SELF read and write permissions
to
"Personal Information", which Microsoft concedes is a little vague;
http://msdn.microsoft.com/en-us/library/ms684394.aspx
However, personal information includes the comments field.
I'm trying to set the comments attribute on the computer object. I
thought
my best chance in terms of security was running the script in the
computer
startup or shutdown scripts, but this didn't work. Anyone have any
ideas?
We have a Windows Server 2003 R2 Enterprise domain.
Which attribute of the computer object do you want to update? What do
you
want the value to be and where will it come from? If the attribute
value
can
be generated automatically, it would make more sense for you do update
it
yourself in bulk, either in ADUC, in a script, or using a command line
tool.
The only reason not to do it yourself is because you cannot determine
the
required value.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
- Follow-Ups:
- Re: Active Directory Computer Attributes
- From: Anwar Mahmood
- Re: Active Directory Computer Attributes
- References:
- Re: Active Directory Computer Attributes
- From: Richard Mueller [MVP]
- Re: Active Directory Computer Attributes
- From: Anwar Mahmood
- Re: Active Directory Computer Attributes
- From: Richard Mueller [MVP]
- Re: Active Directory Computer Attributes
- From: Anwar Mahmood
- Re: Active Directory Computer Attributes
- Prev by Date: DNS update
- Next by Date: Re: how to copy one folder to another server
- Previous by thread: Re: Active Directory Computer Attributes
- Next by thread: Re: Active Directory Computer Attributes
- Index(es):
Relevant Pages
|
