Re: unable to add machine accounts to domain
- From: stosti <stosti@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Feb 2006 14:54:56 -0800
found it! I set it to 25. It was 10. I created a new user account. I
called it "test". I tried to add a computer to the domain. I got the error
"access denied...". I still can't add the machine.
"Jorge de Almeida Pinto [MVP]" wrote:
naming context or partition.
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"stosti" <stosti@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:636634A9-E601-427E-BE92-0EBF9D394722@xxxxxxxxxxxxxxxx
NC?
"Jorge de Almeida Pinto [MVP]" wrote:
start ADSIEDIT
connect to the domain NC
right click on the domain NC and retrieve its properties.
go to the attribute called ms-DS-MachineAccountQuota
you will a value of 10.
put a numeric value in there that fits your needs (and again it will be a
limit)(using the other method there will be no limit)
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"stosti" <stosti@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:483C41B4-B92F-460B-8BD9-0702F5D9782B@xxxxxxxxxxxxxxxx
I would prefer to increase the quota if that is possible...
"Jorge de Almeida Pinto [MVP]" wrote:
OK.... you have the following possibilities here
(1) you could increase the quota so auth. users are to add/join up to
more
than 10 computers to the domain
(2) Create a NEW OU, using the REDIRCMP (see below) redirect the
default
computers container to the NEW OU. Doing this will even give you the
possibility to link GPOs to the NEW container which is not possible in
the
default computers container
After that you need to delegate permissions on that OU so that every
user
can add/join computers to the domain.
In the DELEGWIZ.INF (%WINDIR%\INF) adjust template 6 to:
;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS,organizationalUnit,container
Description = "Join a computer to the domain"
ObjectTypes = SCOPE
[template6.SCOPE]
computer=CC
;----------------------------------------------------------
After this you can delegate this task to authenticated users on the
NEW
OU
to join computers to the domain. The user account that is used to join
will
automatically become the owner of the computer and will thus have the
rights
to create the computer account in the OU and to join the computer to
it.
No
other authenticated user (except for account operators,
administrators,
other groups with full controll or the correct permissions) will be
able
to
"manage" that computer account
############
Redirusr.exe (for user accounts) and redircomp.exe (for computer
accounts) are two new tools included with Windows Server 2003 to
assist
with
the application of Group Policy to new user and computer accounts.
These
tools are located in %windir%\system32. New user and computer accounts
are
created in the CN=Users and CN=Computers containers by default. It is
not
possible to apply Group Policy directly to these containers. By
running
Redirusr.exe and Redircomp.exe once for each domain, the domain
administrator can specify OUs into which all new user and computer
accounts
are placed at the time of creation. This allows administrators to
manage
these unassigned accounts by using Group Policy before the
administrators
assign them to the OU in which they are finally placed. It is
recommended
that the OUs used for new user and computer accounts be highly
restricted
by
means of linked GPOs to increase security around new accounts.
For more information about redirecting the Users and Computers
containers,
see article Q324949, "Redirecting the Users and Computers Containers
in
Windows Server 2003 Domains," in the Microsoft Knowledge Base.
############
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"stosti" <stosti@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C48FDF14-184A-45B0-A24B-551375733F95@xxxxxxxxxxxxxxxx
Actually I would like if the microsoft feature that allows a user to
add
10
machines to the domain worked. This will hve to do... We add
machines
often
because we are a software company.
All of our computers are in the "computer" container...
"Jorge de Almeida Pinto [MVP]" wrote:
just checking...
are you really sure you want EVERY user in the organization to add
computers
to the domain?
remember when you join computers to the domain the accounts are
placed
into
the default computer container.
If you delegate the permissions to join computers to the domain in
some
OU
the computer account should pre-created in the OU OR the user
should
use
NETDOM and target the OU where the computers should reside.
Besides that those users must have local administrator permissions
on
those
computers and because the computers are not joined they must know
the
password for the local administrator or use another account with
the
same
privileges
IMHO, you really do not want that.
How many OUs do you have where computer accounts should reside for
clients?
WHY do you want all users to be able to do that instead of
delegating
it
to
service desk personel?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"stosti" <stosti@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:23E99E96-0BA9-4D11-A961-2CC183B2F97F@xxxxxxxxxxxxxxxx
I would like to have all authenticated users be able to add
workstations
to
the domain. Currently onlt administrators and account operators
can
sucessfully ad a machine.
New users cannot add 10 machine anymore as well...
Thank You!!!
"Jorge de Almeida Pinto [MVP]" wrote:
OK, please explain what you would like to achieve...don't forget
any
details, just say what you really want
Having that I will try to help you
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory
Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and
confers
no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"stosti" <stosti@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:25AA187E-86B8-4870-A272-FE88F7D14FDF@xxxxxxxxxxxxxxxx
The artical is a bit confusing... So you cannot do it by
using
the
deligation of control wizard? If yes which one in the list is
the
correct
one to check off? If not what tool or program do you use to
make
the
changes
they list?
6 to 9 months ago the built in right to add 10 work stations
to
the
domain
stoped working as well. I actually would prefer to get this
working
again.
Can the number (10) be changed? If yes where is that
modified?
Thanks!!!
"Jorge de Almeida Pinto [MVP]" wrote:
see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory
Services
- Follow-Ups:
- Re: unable to add machine accounts to domain
- From: Jorge de Almeida Pinto [MVP]
- Re: unable to add machine accounts to domain
- References:
- Re: unable to add machine accounts to domain
- From: Jorge de Almeida Pinto [MVP]
- Re: unable to add machine accounts to domain
- From: Jorge de Almeida Pinto [MVP]
- Re: unable to add machine accounts to domain
- From: stosti
- Re: unable to add machine accounts to domain
- From: Jorge de Almeida Pinto [MVP]
- Re: unable to add machine accounts to domain
- From: stosti
- Re: unable to add machine accounts to domain
- From: Jorge de Almeida Pinto [MVP]
- Re: unable to add machine accounts to domain
- From: stosti
- Re: unable to add machine accounts to domain
- From: Jorge de Almeida Pinto [MVP]
- Re: unable to add machine accounts to domain
- From: stosti
- Re: unable to add machine accounts to domain
- From: Jorge de Almeida Pinto [MVP]
- Re: unable to add machine accounts to domain
- Prev by Date: Re: unable to add machine accounts to domain
- Next by Date: AD Cleanup
- Previous by thread: Re: unable to add machine accounts to domain
- Next by thread: Re: unable to add machine accounts to domain
- Index(es):
Relevant Pages
|
Loading
