Re: What happens to the machine name in AD?

From: Guido G (guidoDOTgrillenmeierAThpANOTHERDOTcom)
Date: 02/03/05 

Date: Thu, 3 Feb 2005 11:34:19 +0100

The user needs Write permissions on the computer object to modify all
attributes. The normal user doesn't have these permissions, but you'd
usually grant these rights on the OU that contains the computer objects.

e.g. if you've split up your OUs by location, and you'd want to make this
work for the local admins of location1 you'd create a group called something
like "ComputerAdmins_Location1" containing the user accounts of those local
admins. Then you'd grant this group either modify or full control on
computer objects on the location1 OU in AD. Realize, that this doesn't grant
them permissions to ADD or DELETE computer objects - those are extra
permissions you'd need to grant, if you want them to be able to join new
computers to the domain, but just in their OU (same thing to delete them).

The latter will only make sense, if you remove the default privilege for any
authenticated user to add 10 computers to the domain - otherwise they could
always create a few account in the domain's Computer container. You can
remove these rights by editing the Default Domain Controller's policy
(replace "Authenticated Users" with "Domain Admins" for the "Add
workstations to domain" User Right in Computer Config\Windows
Settings\Security Settings\Local Policies\User Rights Assignment)

/Guido

"SA" <nospam@nospam.nospam> wrote in message
news:eNXiByVCFHA.1392@tk2msftngp13.phx.gbl...
> Thanks guys,
> Guido thats exactly what I meant to ask.
> They dont have the right to change the computer name by default, do they?
> If I want to make this happen automatically what rights would the uers
need
> on the computer OU.
>
> SA.
>
> "Guido G" <guidoDOTgrillenmeierAThpANOTHERDOTcom> wrote in message
> news:OgSXsYVCFHA.208@TK2MSFTNGP12.phx.gbl...
> >I guess SA was more referring to a machine that's already a member of an
AD
> > domain. Here it's more a question on how you change the machine name and
> > which permissions you have in AD.
> >
> > If a local admin changes the PC name (of 2000/XP/2003 machines) via the
> > UI,
> > he will be prompted for his credentials in the domain. If the user had
> > sufficient rights on the object in AD (e.g. delegated permissions set on
> > the
> > OU which holds the computer accounts), then next to renaming the
computer
> > locally, the computer account in AD also be renamed and the computer
would
> > remain joined to the domain. Otherwise, a rename will disjoin it.
> >
> > The local administrator can also change the name on the PC via a simple
> > script - if this script doesn't also update the respective computer
> > account
> > in AD, the machine will again be disjoined from the domain. If the
script
> > is
> > smart enough and the user had sufficient right on the object in AD, then
> > the
> > computer would remain in the domain and be renamed at both ends.
> >
> > On the DNS end, I believe a new DNS record will be created for the new
> > name
> > (i.e. the old one remains until it is scavenged, if you've turned on
this
> > feature).
> >
> > /Guido
> >
> >
> > "Allen Firouz" <AllenFirouz@discussions.microsoft.com> wrote in message
> > news:C58E166C-07C8-4CA6-8502-B17004F17A79@microsoft.com...
> >> SA,
> >>
> >> If you are using a Windows 2000, XP or 2003 (which can handle Dynamic
DNS
> >> Registration), then it is as simple as changing the PC name and joining
> >> it
> > to
> >> the domain. These OS automatically register and update their name in
> >> DNS.
> >> Refer to these links:
> >> Dynamic DNS: http://support.microsoft.com/kb/q246804/
> >> Force DNS name registration:
> >>
> >
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_tro_UsingIpconfigRegisterdns.asp
> >>
> >> WinXP DNS registation:
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;305553&sd=tech
> >>
> >> -Allen Firouz
> >>
> >>
> >> "SA" wrote:
> >>
> >> > Hi,
> >> > I wanted to know what happens to the machine name in AD when it is
> > changed
> >> > on the PC side? Does the name get changed automatically on the side
or
> > does
> >> > it need to be manually updated?
> >> > Thanks,
> >> > SA.
> >> >
> >> >
> >> >
> >
> >
>
>

Relevant Pages

  • Re: SQL Server 2005 Stored Procedure security annoyances
    ... stored proecedure on a database wide level? ... GRANT EXECUTE ON SCHEMA::MySchema TO MyRole ... I am sure I will forget some SP's and probably forget to set the rights ... permissions because not all stored procedures are equal. ...
    (microsoft.public.sqlserver.security)
  • Re: What happens to the machine name in AD?
    ... The normal user doesn't have these permissions, ... > usually grant these rights on the OU that contains the computer objects. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation Wizard
    ... On the Security tab, ... the Create Computer Objects and Delete Computer Objects ACEs, ... Password" rights for computer objects. ... > I know this is because they don't have permissions for the object in the> container which it resides but I only want to delegate the permissions> necessary for their account to rename the new build without error. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Rights to Join Machine to Domain an Issue?
    ... > rights to the default "Computer" container. ... > computer objects. ... >>Giving the limited set of permissions just gives them ... >>> power to create and join, ...
    (microsoft.public.security)
  • Re: Join domain requirement
    ... Yes, if you grant the 4 permissions, a normal user (with no other admin ... rights) can join the computer to the domain. ... GUI then grants the same 4 permissions listed in my previous link to the ...
    (microsoft.public.windows.server.active_directory)