Re: Prevent from Creating Computer Objects

Dear Joe
Thank you . your tip along with "add workstation to domain" articles help me
solve my problem.

FYI:
A: did not happend,as you told me.
B: happend,provided that the user has proper permissions to the
already-created computer object (I mean those 4 permissions that are granted
when you set "The following user and group can join this computer to a
domain").
C: happend,provided that the user has proper permissions on "Computers"
Container;despite having his qouta to 0;which according to this link,is the
correct behavour:
http://technet2.microsoft.com/WindowsServer/en/Library/7207aa3e-d95d-4176-a1ca-bc629f1ca6981033.mspx?mfr=true

thank you again.

"Joe Richards [MVP]" wrote:

No that has no impact on delegation. However, you have to understand how
the join process works. If someone doesn't have the rights to join a
computer to the computers OU (or whatever OU the default join is
redirected to) then they won't be able to join a machine to AD unless
they do it with a scripted join process utilizing NETDOM or precreating
the account and specifying who can do the join.

So to answer your points directly

A will not occur unless the delegated admin uses NETDOM.

B is likely unless again, the delegated admin uses NETDOM and specifies
what OU to create the computer object in.

I haven't tested C, you can easily test if you can get it to work this
way, set the quota mentioned previously to 0 and then grant create child
for computers to the computers container for the group you want to do
the joins. See if it will then allow you to create a computer there
during a normal join.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Sasi wrote:
does is have any negative impact on Administration-delagated OU's? (of course
the kb article suggests No;but I want to make sure.)
another question:
suppose i did this ,and then created an OU and delegated the control of that
OU to a user.which of the following possible senarios happens on user's
attempt to join a workstation to domain ?

A.a computer object is created in that OU and workstation is jointed to
domain.
B.the workstation is joined to that domain ONLY IF a prevoius computer
account is created prior to domain-join attempt in that OU;otherwise it will
fail
C.if found a matching computer account,the workstaion joins and uses that
account,otherwise a computer object is created in the default "computers"
container (the default behavour which I want to prevent)


"Joe Richards [MVP]" wrote:

Set the attribute specified to 0 and authenticated users will not be
able to arbitrarily add machines to your domain.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Sasi wrote:
thank you,maybe this help me maybe not;but it was a useful tip that I believe
comes handy sometime.

"Joe Richards [MVP]" wrote:

http://support.microsoft.com/?kbid=243327

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Sasi wrote:
How can I prevent Somebody from creating Computer objects throughout the
Active Directory?
no matter what permissions I set,a user named userA (belonging to "domain
users" group only) always is able to join computers to domain using his/her
username/pass ; and a computer object is created in "Computers" container.
I even set "everyone"s "full controll" permission to "deny" on computer
container;but still he/she can attach his/her computer to domain with any
computer name,causing a computer account to be created in Computer container.
what can I do to block creation of objects in default containers in Windows
2000? specially "Computers" container?

.

Relevant Pages

  • Re: Prevent from Creating Computer Objects
    ... No that has no impact on delegation. ... I haven't tested C, you can easily test if you can get it to work this way, set the quota mentioned previously to 0 and then grant create child for computers to the computers container for the group you want to do the joins. ... Joe Richards Microsoft MVP Windows Server Directory Services ... A.a computer object is created in that OU and workstation is jointed to domain. ...
    (microsoft.public.win2000.active_directory)
  • Cannot delete computer object in AD
    ... I have a computer object in my Win2K3 AD that I'm trying ... This is only a computer obect under the Workstation ... container in AD. ...
    (microsoft.public.win2000.active_directory)
  • Re: AD Container
    ... I have a OU for all workstation that follow the same ... policies and I use and is untouch the computer container for computers on my ... not change Default Domain and Default Domain controllers policy, ... new policies for your needs and link them also to the OU or Domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Container
    ... I have a OU for all workstation that follow the same ... policies and I use and is untouch the computer container for computers on my ... As Meinolf mentioned, the ones that stick, need to be set to defaults or disabled in the GPO, then GPO must be refreshed on the machine. ... If you can elaborate on the GPO settings you have placed on the Workstation Organizational Unit, it may help us, or you can simply follow the link that Meinolf provided in his earlier post. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Container
    ... Depending on the settings configured in the policy it is a kind of tattooing which will stay even if you move the machine to another OU. ... computers is by default and workstation is created as OU, ... object container which is not managed by a GPO it should be bound to ...
    (microsoft.public.windows.server.active_directory)