Re: User account that may generate computer accounts

Tech-Archive recommends: Speed Up your PC by fixing your registry

Great, thanks. Is there anything I could break, if I set that value to 0
other than the desired effect? Adding anything to AD with a domain admin
will not be harmed, right?


"Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx> schrieb im Newsbeitrag
news:%23wkZc5gWFHA.2700@xxxxxxxxxxxxxxxxxxxxxxx
>T decrease the value of ms-DS-MachineAccountQuota attribute (which sets the
>number of computers AU can add):
>
> - Start Adsiedit.msc as an administrator of the domain.
> - Expand the Domain NC node. Right-click the domain object, and then click
> Properties.
> - In the Select a property to view box, click ms-DS-MachineAccountQuota.
> - In the Edit Attribute box, type a number. This number represents the
> number of workstations that you want users to be able to add.
> - Click Set, and then click OK.
>
> Regards,
> /Jimmy
> --
> Jimmy Andersson, Q Advice AB
> Microsoft MVP - Directory Services
> ---------- www.qadvice.com ----------
>
>
> "Lofote" <byespammers@xxxxxxxxx> wrote in message
> news:%23vN6n0fWFHA.2984@xxxxxxxxxxxxxxxxxxxxxxx
>> Thanks again for your reply.
>>
>> Still its something I do not want, as long as Domain Users are part of
>> "Authenticated Users". I want to have the AD in complete control, which
>> computers are inside the domain and which not. :) It can't be that some
>> coworker brings his/her home laptop and adds it to the domain as s/he
>> pleases. (even when they also can access the domain without being in
>> there as you say). I also don't want to have any GPO applied to such
>> computers. Policy here is that every single computer that is in that
>> domain is under complete control from me and the other admin and was
>> installed by anyone of us two - nobody else.
>>
>> So if there is anything how I can prevent it, please let me know :)...
>>
>>
>> "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx> schrieb im Newsbeitrag
>> news:ePVcGqfWFHA.2700@xxxxxxxxxxxxxxxxxxxxxxx
>>> If memory serves it's Authenticated Users not Everybody.
>>>
>>> Regards,
>>> /Jimmy
>>> --
>>> Jimmy Andersson, Q Advice AB
>>> Microsoft MVP - Directory Services
>>> ---------- www.qadvice.com ----------
>>>
>>>
>>> "Lofote" <byespammers@xxxxxxxxx> wrote in message
>>> news:uRDAgRGWFHA.2928@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Thanks a lot, that was the thing I searched.
>>>>
>>>> but...
>>>>
>>>> uh...
>>>>
>>>> *everybody*, who has a domain user account (even guests?) is allowed to
>>>> join
>>>> his or her computer to my domain - up to 10? That is something I
>>>> definitely
>>>> not want. Is there anyway to only let people that own the "Add
>>>> workstations
>>>> to domain" right add a computer to the domain?
>>>>
>>>>
>>>>
>>>> "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx> schrieb im
>>>> Newsbeitrag
>>>> news:Ou$VwY6VFHA.2256@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> By default all users have the right to add 10 computer accounts. If
>>>>> you
>>>>> just want to delegate this right to a user you'll find details here:
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/7207aa3e-d95d-4176-a1ca-bc629f1ca698.mspx
>>>>>
>>>>> Regards,
>>>>> /Jimmy
>>>>> --
>>>>> Jimmy Andersson, Q Advice AB
>>>>> Microsoft MVP - Directory Services
>>>>> ---------- www.qadvice.com ----------
>>>>>
>>>>>
>>>>> "news.microsoft.com" <byespammers@xxxxxxxxx> wrote in message
>>>>> news:eLOMYQ6VFHA.3488@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> Hello everybody,
>>>>>>
>>>>>> I want to create a user in my AD (Win2003), that is able to create
>>>>>> computer accounts in the domain but may not create or edit user
>>>>>> accounts.
>>>>>> How can I accomplish this? Can I somehow set the rights on the
>>>>>> "Computers" folder using the AD Users&Computers tool to set this
>>>>>> right?
>>>>>>
>>>>>> The reason I want to do this is for unattended installation scripts
>>>>>> (winnt.sif), that contain a domain admin password on a diskette. Now
>>>>>> if
>>>>>> some user gets this disk accidently s/he should at least not be able
>>>>>> to
>>>>>> modify user accounts and for example give him/herself admin rights.
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: GPO and computers
    ... >>to filter it the object needs to be in the OU to which you apply the GPO, ... >> in the hierarchy or move the computers to the ... >> Regards, ... >> Jimmy Andersson, Q Advice AB ...
    (microsoft.public.windows.server.active_directory)
  • Re: Choose Input Languages during OSD
    ... These test computers range ... >also know that sysprep images are supposed to be HAL-specific. ... >> Johan Arwidmark ...
    (microsoft.public.sms.tools)
  • Re: General mail failure when sending e-mail from Excel
    ... It worked wonderfully on two computers that I ... Regards, ... >> Attachment) I get an error message that says "General mail failure. ... >> Microsoft Excel, restart the mail system, and try again ". ...
    (microsoft.public.excel.misc)
  • Re: Is SuSe ready for me yet?
    ... our little wintwerp buddy "markzoom" AKA Flatfish et al): ... I DON'T USE YANK BRAND NAME COMPUTERS on ... Regards, Weird * IMPORTANT EMAIL INFO FOLLOWS * ...
    (alt.os.linux.suse)
  • Re: Materialist Evolutionists
    ... robot could be explained in terms of the inputs to each node (though ... the discussion with John Wilkins, ... Though with regards to your point, the bit you have snipped to, is ... outputs can be cross checked by an array of computers, ...
    (talk.origins)