Re: join domain/create computer accounts... driving me NUTS!
- From: "Jimmy D" <NOSPAM_jjd228@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Jan 2006 11:25:04 -0500
FYI...
the RIGHT way to do this is to simply give "create/delete computer object"
permissions at the Computers OU. Then give full control permissions to
computer objects in the OU.
yup... 2 permissions makes it work. wihtout hacking away at templates like
youve invented a better way to do something.
"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:uCyTVdGIGHA.2212@xxxxxxxxxxxxxxxxxxxxxxx
> Thanks Paul.
>
> I guess this guy does not understand the difference between having:
> (A)
> one group that pre-creates computer accounts in the correct OU
> one group that joins computers to the pre-created computer accounts
>
> (B)
> one group that pre-creates computer accounts in the correct OU and joins
> computers to the pre-created computer accounts
>
> this especially helpful when such a group consists of more than one admin
> and computer accounts are pre-created by different admins as it is not
> possible to choose an OU using the GUI, only NETDOM can do that.
>
> the problem occurs when accounts are pre-created. The Creator becomes the
> owner and only the owner (and domain admins) have the permission to join a
> computer to that pre-created account. It saves the step to additionally
> add a user or group that has permissions to join the computer to the
> pre-created account
>
> Believe it or not, some people have found this solution to be very usefull
> because their company works the way I describe.
>
> It is only a shame such people exist and dare to ask a question to get
> help, shout at others while they have no solution for themselves, and
> still keep shouting towards others.
> I think it is frustration that is melting his brains. It is a shame!
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
> # Jorge de Almeida Pinto #
> MVP Windows Server - Directory Services
> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> -----------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test before implementing!
> -----------------------------------------------------------------------------
>
>
> -----------------------------------------------------------------------------
> "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx> wrote in message
> news:1138026476.756706@xxxxxxxxxxxxxxxxxxxxxx
>> Jimmy,
>>
>> Your posts are somewhat harsh and unnecessary. Please try and refrain
>> from
>> being pessimistic and boorish and instead try and offer some positive
>> feedback. If you felt that Jorge's post or article was unclear to you
>> (we
>> all read in different ways and understand things differently), then it
>> would
>> be more helpful and sensible to state that you found it difficult to
>> follow
>> for whatever reason. Blogs have feedback capabilities. There is no need
>> to
>> publically dismiss his efforts and work. Jorge has a very active,
>> helpful
>> blog that many newsgroup posters have found help at.
>>
>> Now, regarding your original post, have you seen this KB?
>> -- http://support.microsoft.com/?id=251335
>>
>>
>> This discusses several ways of granting the necessary permissions to add
>> computer accounts to the directory. Unfortunately, this doesn't help
>> much
>> at the client end. In the very short space of time I have spent looking
>> at
>> this, it would appear that you have to be a local administrator to join
>> the
>> workstation in question to the domain. I've yet to find a right or
>> policy
>> that will grant standard users this ability.
>>
>> If, however, your helpdesk people are administrators of PCs, then this
>> will
>> help. Jorge's article illustrates how to use the delegation of control
>> wizard to achieve this. There are, of course, other ways - for instance,
>> all delegwiz does is set permissions on objects - you can do that
>> yourself
>> if you know what permissions to set.
>>
>> I must recommend that you download and read the Microsoft Active
>> Directory
>> Delegation Best Practices whitepaper (and the appendix). This isn't
>> perfect, but it will cover everything you need.
>>
>> --
>> Paul Williams
>> Microsoft MVP - Windows Server - Directory Services
>> http://www.msresource.net | http://forums.msresource.net
>>
>>
>
>
.
- References:
- join domain/create computer accounts... driving me NUTS!
- From: Jimmy D
- Re: join domain/create computer accounts... driving me NUTS!
- From: Jorge de Almeida Pinto [MVP]
- Re: join domain/create computer accounts... driving me NUTS!
- From: Jimmy D
- Re: join domain/create computer accounts... driving me NUTS!
- From: Jorge de Almeida Pinto [MVP]
- Re: join domain/create computer accounts... driving me NUTS!
- From: Jimmy D
- Re: join domain/create computer accounts... driving me NUTS!
- From: Jorge de Almeida Pinto [MVP]
- Re: join domain/create computer accounts... driving me NUTS!
- From: Jimmy D
- Re: join domain/create computer accounts... driving me NUTS!
- From: Jimmy D
- Re: join domain/create computer accounts... driving me NUTS!
- From: Paul Williams [MVP]
- Re: join domain/create computer accounts... driving me NUTS!
- From: Jorge de Almeida Pinto [MVP]
- join domain/create computer accounts... driving me NUTS!
- Prev by Date: Re: LDAP Query for Expired accounts
- Next by Date: Re: restart end user workstations from remote
- Previous by thread: Re: join domain/create computer accounts... driving me NUTS!
- Next by thread: Re: join domain/create computer accounts... driving me NUTS!
- Index(es):
Relevant Pages
|
