Re: User account that may generate computer accounts
- From: "dmartin" <dmartin@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 20 May 2005 11:54:06 -0700
If you are talking about automatically adding a wkst to the domain when it is
built then do the following:
Create a domain ID that you want to use build wkst
set the password to not expire & set it so no one can chg the pwd
make sure the ID is in the Domain Users group
Edit the Default Domain Policy:
go to "Computer Configuration"
Then open the "Windows Settings, Security Settings, Local Policies, User
Rights Assignment"
then add a the ID created above (domain\ID) to the "Add workstations to
domain" policy
then add the same ID to the "Deny logon Locally"
Then in your script to build the computer be sure to add that Domain ID
"Lofote" wrote:
> Great, thanks. Is there anything I could break, if I set that value to 0
> other than the desired effect? Adding anything to AD with a domain admin
> will not be harmed, right?
>
>
> "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx> schrieb im Newsbeitrag
> news:%23wkZc5gWFHA.2700@xxxxxxxxxxxxxxxxxxxxxxx
> >T decrease the value of ms-DS-MachineAccountQuota attribute (which sets the
> >number of computers AU can add):
> >
> > - Start Adsiedit.msc as an administrator of the domain.
> > - Expand the Domain NC node. Right-click the domain object, and then click
> > Properties.
> > - In the Select a property to view box, click ms-DS-MachineAccountQuota.
> > - In the Edit Attribute box, type a number. This number represents the
> > number of workstations that you want users to be able to add.
> > - Click Set, and then click OK.
> >
> > Regards,
> > /Jimmy
> > --
> > Jimmy Andersson, Q Advice AB
> > Microsoft MVP - Directory Services
> > ---------- www.qadvice.com ----------
> >
> >
> > "Lofote" <byespammers@xxxxxxxxx> wrote in message
> > news:%23vN6n0fWFHA.2984@xxxxxxxxxxxxxxxxxxxxxxx
> >> Thanks again for your reply.
> >>
> >> Still its something I do not want, as long as Domain Users are part of
> >> "Authenticated Users". I want to have the AD in complete control, which
> >> computers are inside the domain and which not. :) It can't be that some
> >> coworker brings his/her home laptop and adds it to the domain as s/he
> >> pleases. (even when they also can access the domain without being in
> >> there as you say). I also don't want to have any GPO applied to such
> >> computers. Policy here is that every single computer that is in that
> >> domain is under complete control from me and the other admin and was
> >> installed by anyone of us two - nobody else.
> >>
> >> So if there is anything how I can prevent it, please let me know :)...
> >>
> >>
> >> "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx> schrieb im Newsbeitrag
> >> news:ePVcGqfWFHA.2700@xxxxxxxxxxxxxxxxxxxxxxx
> >>> If memory serves it's Authenticated Users not Everybody.
> >>>
> >>> Regards,
> >>> /Jimmy
> >>> --
> >>> Jimmy Andersson, Q Advice AB
> >>> Microsoft MVP - Directory Services
> >>> ---------- www.qadvice.com ----------
> >>>
> >>>
> >>> "Lofote" <byespammers@xxxxxxxxx> wrote in message
> >>> news:uRDAgRGWFHA.2928@xxxxxxxxxxxxxxxxxxxxxxx
> >>>> Thanks a lot, that was the thing I searched.
> >>>>
> >>>> but...
> >>>>
> >>>> uh...
> >>>>
> >>>> *everybody*, who has a domain user account (even guests?) is allowed to
> >>>> join
> >>>> his or her computer to my domain - up to 10? That is something I
> >>>> definitely
> >>>> not want. Is there anyway to only let people that own the "Add
> >>>> workstations
> >>>> to domain" right add a computer to the domain?
> >>>>
> >>>>
> >>>>
> >>>> "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx> schrieb im
> >>>> Newsbeitrag
> >>>> news:Ou$VwY6VFHA.2256@xxxxxxxxxxxxxxxxxxxxxxx
> >>>>> By default all users have the right to add 10 computer accounts. If
> >>>>> you
> >>>>> just want to delegate this right to a user you'll find details here:
> >>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/7207aa3e-d95d-4176-a1ca-bc629f1ca698.mspx
> >>>>>
> >>>>> Regards,
> >>>>> /Jimmy
> >>>>> --
> >>>>> Jimmy Andersson, Q Advice AB
> >>>>> Microsoft MVP - Directory Services
> >>>>> ---------- www.qadvice.com ----------
> >>>>>
> >>>>>
> >>>>> "news.microsoft.com" <byespammers@xxxxxxxxx> wrote in message
> >>>>> news:eLOMYQ6VFHA.3488@xxxxxxxxxxxxxxxxxxxxxxx
> >>>>>> Hello everybody,
> >>>>>>
> >>>>>> I want to create a user in my AD (Win2003), that is able to create
> >>>>>> computer accounts in the domain but may not create or edit user
> >>>>>> accounts.
> >>>>>> How can I accomplish this? Can I somehow set the rights on the
> >>>>>> "Computers" folder using the AD Users&Computers tool to set this
> >>>>>> right?
> >>>>>>
> >>>>>> The reason I want to do this is for unattended installation scripts
> >>>>>> (winnt.sif), that contain a domain admin password on a diskette. Now
> >>>>>> if
> >>>>>> some user gets this disk accidently s/he should at least not be able
> >>>>>> to
> >>>>>> modify user accounts and for example give him/herself admin rights.
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>
> >>
> >
> >
>
>
>
.
- References:
- User account that may generate computer accounts
- From: news.microsoft.com
- Re: User account that may generate computer accounts
- From: Jimmy Andersson [MVP]
- Re: User account that may generate computer accounts
- From: Lofote
- Re: User account that may generate computer accounts
- From: Jimmy Andersson [MVP]
- Re: User account that may generate computer accounts
- From: Lofote
- Re: User account that may generate computer accounts
- From: Jimmy Andersson [MVP]
- Re: User account that may generate computer accounts
- From: Lofote
- User account that may generate computer accounts
- Prev by Date: Re: Delegation Assistance
- Next by Date: Re: Hiding Telephone number from AD search
- Previous by thread: Re: User account that may generate computer accounts
- Next by thread: OptionalNames on a DC
- Index(es):
Relevant Pages
|
