Re: restrict delegated admins to create computer accounts in AD
From: ptwilliams (ptw2001_at_hotmail.com)
Date: 09/27/04
- Next message: Anonymous: "Re: Update administrative templates"
- Previous message: umut cavusoglu: "Re: restrict delegated admins to create computer accounts in AD"
- In reply to: umut cavusoglu: "Re: restrict delegated admins to create computer accounts in AD"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 27 Sep 2004 07:23:40 +0100
If you wish these people a maximum number of machines to be added, you're
going to have to do two things in addition to what was previously posted:
-- Set the ms_DS-MachineAccountQuota domain attribute to 50 (use ADSIEdit
to do this*)
-- Disable (normal) users from joining machines to the domain via GPO (that
is, remove users from this right assignment)
(\Computer Configuration\ Windows Settings\ Security Settings\ Local
Policies\ User Rights Assignments\
Add Workstations to the domain)
* Overriding (modifying) the default value set in the schema
Right-click and choose properties on a domain controller
(DC=dcName,DC=yourDomain,DC=com) under the domain (DC=yourDomain,DC=com)
value and then click attributes.
In the Select a Property to view drop-down list box, select
ms_DS-MachineAccountQuota.
In the Edit attribute text box, modify the value of 10 to whatever you want
(50) and apply this value by pressing Set, and then OK.
-- Paul Williams http://www.msresource.net Why not join us in our free, public forum? http://forums.msresource.net ______________________________________ "umut cavusoglu" <umutcavusoglu@discussions.microsoft.com> wrote in message news:7CEC89D2-021F-4555-BA7B-E855457907F3@microsoft.com... that's clear thanx but my problem is if i should limit them to create for ex. no more than 50 computer accounts with DACL settings allowed??? "ptwilliams" wrote: > The way to do this is to create security groups (domain local) and give > those groups an advanced write permission(s) to the OUs they represent, > e.g. > OU=UK, Domain Local Security Group = ouUK, and then add users to a global > group and add that group to the domain local. > > Now, any users added to the global groups that are members of the > appropriate local groups will be able to prestage computer accounts in > their > OUs. These computers can then be joined to the domain and will be members > of the appropriate OU -as the computer will recognise it's prestaged > account. > > The exact permissions required are: > -- Create Computer Objects > -- Delete Computer Objects > > > To access these permissions, use the advanced DACL editor on the OU you > wish > to make this change on. > > These permissions can also be set through the delegation of control > wizard. > > > Paul Williams > _______________________________ > http://www.msresource.net > > > Join us in our free, public forum: > http://forums.msresource.net > _______________________________ > "umut cavusoglu" <umutcavusoglu@discussions.microsoft.com> wrote in > message > news:69E246B2-80F8-4066-8258-BB5680E9FAAF@microsoft.com... > i need help to restrict my sub-admins those distributed across different > locations to create or to pre-stage limited computer accounts -not add > computers to domain- in AD hierarchy? > > >
- Next message: Anonymous: "Re: Update administrative templates"
- Previous message: umut cavusoglu: "Re: restrict delegated admins to create computer accounts in AD"
- In reply to: umut cavusoglu: "Re: restrict delegated admins to create computer accounts in AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
