Re: Creating Computer Accounts in the Active Directory

From: Greg K Wong (Nunya_at_biddness.com)
Date: 01/08/05

• Next message: Joe Richards [MVP]: "Re: Creating Computer Accounts in the Active Directory"
• Previous message: Greg K Wong: "Re: Creating Computer Accounts in the Active Directory"
• In reply to: Ulf B. Simon-Weidner [MVP]: "Re: Creating Computer Accounts in the Active Directory"
• Next in thread: Ulf B. Simon-Weidner [MVP]: "Re: Creating Computer Accounts in the Active Directory"
• Reply: Ulf B. Simon-Weidner [MVP]: "Re: Creating Computer Accounts in the Active Directory"
• Messages sorted by: [ date ] [ thread ]

Date: Sat, 08 Jan 2005 10:01:45 -0600

Ulf, thank you for your reply.

I have tried Domain Users; that did not work correctly either.
It is important for us to be able to use "Everyone", because when our
AD was created, it was designed badly. It is a very large enterprise
sized company, and the Administrators are nested in FAR too many
groups, creating a token-size issue. Whenever an Admin tries to use
their Administrator account to join a PC to the domain, they receive
an error stating, "There was not enough server storage to process this
command". So, in order to join the PC's to the domain, we must use
our regular user accounts. We are aware of the issue, Microsoft is
aware on the issue, and it would seem the only fix is to remove the
admins from goups that they are required to be in.

Thanks,

Greg

On Sat, 8 Jan 2005 08:36:33 +0000, "Ulf B. Simon-Weidner [MVP]"
<nospam2-ulf@usw-consulting.com> wrote:

>"Greg K Wong" <Nunya@biddness.com> wrote in message
>news:Nunya@biddness.com:
>> I am looking for input on how to create multiple computer
>> accounts in the Active Directory using VBScript. I have been
>> successful in creating the machine accounts, but I need to be able to
>> specify a GROUP that may join to the machine to the domain other than
>> the Domain Administrators. Specifically, when the accounts are
>> created I would like to enable "Everyone" to join the PC to the
>> domain.
>> The script below is directly from Microsoft. It seems to show
>> how to specify a user or group that can join the machine to a domain,
>> but I am having trouble getting this to work correctly.
>>
>[snip]
>
>Hi Greg,
>
>I'd try a different account, like domain users. And verify what's
>written in the security-descriptor. You can do that with the first part
>of the script listed at
>http://www.windowsserverfaq.de/faq/CompACLs.asp.
>(you can also run the full script - it won't change anything if there's
>not the specified error on the DACL in the object.

• Next message: Joe Richards [MVP]: "Re: Creating Computer Accounts in the Active Directory"
• Previous message: Greg K Wong: "Re: Creating Computer Accounts in the Active Directory"
• In reply to: Ulf B. Simon-Weidner [MVP]: "Re: Creating Computer Accounts in the Active Directory"
• Next in thread: Ulf B. Simon-Weidner [MVP]: "Re: Creating Computer Accounts in the Active Directory"
• Reply: Ulf B. Simon-Weidner [MVP]: "Re: Creating Computer Accounts in the Active Directory"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint