Re: Workstations permissions to its own AD computer object


"MrGimper" <me@xxxxxxxx> wrote in message
news:%234eJ7zfgHHA.4952@xxxxxxxxxxxxxxxxxxxxxxx

"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:%234ipirfgHHA.3656@xxxxxxxxxxxxxxxxxxxxxxx
MrGimper wrote:

I wish to store some information in the extensionAttributes of a
computer object. I want to use a login script to read the value of the
extensionAttribute of the computer object which relates to the
workstation the user logs on to.

My question is: Does a workstation have the rights to read the
extensionAttributes of its own AD computer object?

I can create the script, but wondered if the rights are there by default

Logon scripts run with the permissions of the user. Startup scripts run
with System privileges on the local computer, and the permissions of the
computer object elsewhere in the domain. If this is a logon script, the
user needs permission to read the attribute.

If computer objects need permissions in the domain to run a startup
script, I grant the rights to the "Domain Computers" group. For a logon
script, if permissions are needed I would grant them to "Domain Users".

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--



Thanks for your prompt reply Richard.

I will therefore need to grant "Domain Users" the rights to read this
attribute.... what is the easiest way to grant this right to all existing
computer objects, and automatically to any computer objects created in the
future.

Thanks

Both "Domain Users" and "Domain Computers" are maintained automatically. By
default (unless you go to the effort to change it), all user objects are
members of "Domain Users" and all computer objects are members of "Domain
Computers".

This link indicates that the extensionAttributes should be in the collection
called "Public Attributes". I would expect everyone to have read permission
on these attributes.

http://support.microsoft.com/kb/924193

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: Active Directory Computer Attributes
    ... I had grant permissions to Domain Computers to write all properties for all ... If I use a startup script to update the comments attribute, ... the computer object should have rights ...
    (microsoft.public.scripting.vbscript)
  • Re: Active Directory Computer Attributes
    ... MVP Directory Services ... If I use a startup script to update the comments attribute, ... the computer object should have rights ... The computer object lacks permissions to update the location ...
    (microsoft.public.scripting.vbscript)
  • Re: Script to Rename Computer Name in Domain
    ... i looking a script to rename computer name in domain server 2003 ... To rename a computer you bind to the parent OU/Container of the computer ... you would need to also prompt for the current name. ... ' Bind to the parent OU/container of computer object. ...
    (microsoft.public.windows.server.scripting)
  • Re: Computer Config login script from GPO copying file reports permission denied
    ... copies the file from the server to replace it. ... I presumed that the script would run in the security context of the ... Logon scripts run with the credentials (and permissions) of the user. ... permissions of the computer object elsewhere in the domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Workstations permissions to its own AD computer object
    ... I want to use a login script to read the value of the extensionAttribute of the computer object which relates to the workstation the user logs on to. ... Startup scripts run with System privileges on the local computer, and the permissions of the computer object elsewhere in the domain. ... If computer objects need permissions in the domain to run a startup script, I grant the rights to the "Domain Computers" group. ...
    (microsoft.public.windows.server.active_directory)
Loading