Re: Prevent from Creating Computer Objects
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Mon, 26 Jun 2006 15:08:31 -0400
No that has no impact on delegation. However, you have to understand how the join process works. If someone doesn't have the rights to join a computer to the computers OU (or whatever OU the default join is redirected to) then they won't be able to join a machine to AD unless they do it with a scripted join process utilizing NETDOM or precreating the account and specifying who can do the join.
So to answer your points directly
A will not occur unless the delegated admin uses NETDOM.
B is likely unless again, the delegated admin uses NETDOM and specifies what OU to create the computer object in.
I haven't tested C, you can easily test if you can get it to work this way, set the quota mentioned previously to 0 and then grant create child for computers to the computers container for the group you want to do the joins. See if it will then allow you to create a computer there during a normal join.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Sasi wrote:
does is have any negative impact on Administration-delagated OU's? (of course the kb article suggests No;but I want to make sure.).
another question:
suppose i did this ,and then created an OU and delegated the control of that OU to a user.which of the following possible senarios happens on user's attempt to join a workstation to domain ?
A.a computer object is created in that OU and workstation is jointed to domain.
B.the workstation is joined to that domain ONLY IF a prevoius computer account is created prior to domain-join attempt in that OU;otherwise it will fail
C.if found a matching computer account,the workstaion joins and uses that account,otherwise a computer object is created in the default "computers" container (the default behavour which I want to prevent)
"Joe Richards [MVP]" wrote:
Set the attribute specified to 0 and authenticated users will not be able to arbitrarily add machines to your domain.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Sasi wrote:thank you,maybe this help me maybe not;but it was a useful tip that I believe comes handy sometime.
"Joe Richards [MVP]" wrote:
http://support.microsoft.com/?kbid=243327
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Sasi wrote:How can I prevent Somebody from creating Computer objects throughout the Active Directory?
no matter what permissions I set,a user named userA (belonging to "domain users" group only) always is able to join computers to domain using his/her username/pass ; and a computer object is created in "Computers" container.
I even set "everyone"s "full controll" permission to "deny" on computer container;but still he/she can attach his/her computer to domain with any computer name,causing a computer account to be created in Computer container.
what can I do to block creation of objects in default containers in Windows 2000? specially "Computers" container?
- References:
- Re: Prevent from Creating Computer Objects
- From: Joe Richards [MVP]
- Re: Prevent from Creating Computer Objects
- From: Joe Richards [MVP]
- Re: Prevent from Creating Computer Objects
- From: Sasi
- Re: Prevent from Creating Computer Objects
- Prev by Date: Re: invalid file names
- Next by Date: Re: invalid file names
- Previous by thread: Re: Prevent from Creating Computer Objects
- Next by thread: Re: Audit Settings changed Automatically
- Index(es):
Relevant Pages
|
Loading
