Re: Prevent from Creating Computer Objects
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Wed, 05 Jul 2006 12:27:37 -0400
n/p
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Sasi wrote:
Dear Joe.
Thank you . your tip along with "add workstation to domain" articles help me solve my problem.
FYI:
A: did not happend,as you told me.
B: happend,provided that the user has proper permissions to the already-created computer object (I mean those 4 permissions that are granted when you set "The following user and group can join this computer to a domain").
C: happend,provided that the user has proper permissions on "Computers" Container;despite having his qouta to 0;which according to this link,is the correct behavour:
http://technet2.microsoft.com/WindowsServer/en/Library/7207aa3e-d95d-4176-a1ca-bc629f1ca6981033.mspx?mfr=true
thank you again.
"Joe Richards [MVP]" wrote:
No that has no impact on delegation. However, you have to understand how the join process works. If someone doesn't have the rights to join a computer to the computers OU (or whatever OU the default join is redirected to) then they won't be able to join a machine to AD unless they do it with a scripted join process utilizing NETDOM or precreating the account and specifying who can do the join.
So to answer your points directly
A will not occur unless the delegated admin uses NETDOM.
B is likely unless again, the delegated admin uses NETDOM and specifies what OU to create the computer object in.
I haven't tested C, you can easily test if you can get it to work this way, set the quota mentioned previously to 0 and then grant create child for computers to the computers container for the group you want to do the joins. See if it will then allow you to create a computer there during a normal join.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Sasi wrote:does is have any negative impact on Administration-delagated OU's? (of course the kb article suggests No;but I want to make sure.)
another question:
suppose i did this ,and then created an OU and delegated the control of that OU to a user.which of the following possible senarios happens on user's attempt to join a workstation to domain ?
A.a computer object is created in that OU and workstation is jointed to domain.
B.the workstation is joined to that domain ONLY IF a prevoius computer account is created prior to domain-join attempt in that OU;otherwise it will fail
C.if found a matching computer account,the workstaion joins and uses that account,otherwise a computer object is created in the default "computers" container (the default behavour which I want to prevent)
"Joe Richards [MVP]" wrote:
Set the attribute specified to 0 and authenticated users will not be able to arbitrarily add machines to your domain.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Sasi wrote:thank you,maybe this help me maybe not;but it was a useful tip that I believe comes handy sometime.
"Joe Richards [MVP]" wrote:
http://support.microsoft.com/?kbid=243327
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Sasi wrote:How can I prevent Somebody from creating Computer objects throughout the Active Directory?
no matter what permissions I set,a user named userA (belonging to "domain users" group only) always is able to join computers to domain using his/her username/pass ; and a computer object is created in "Computers" container.
I even set "everyone"s "full controll" permission to "deny" on computer container;but still he/she can attach his/her computer to domain with any computer name,causing a computer account to be created in Computer container.
what can I do to block creation of objects in default containers in Windows 2000? specially "Computers" container?
- References:
- Re: Prevent from Creating Computer Objects
- From: Sasi
- Re: Prevent from Creating Computer Objects
- Prev by Date: Re: How can I report a bug to Microsoft Windows 2000 Team?
- Next by Date: RE: Windows 2000 shutting down problem
- Previous by thread: Re: Prevent from Creating Computer Objects
- Next by thread: Re: what is reset account?
- Index(es):
Relevant Pages
|
Loading
