Re: Active Directory Machine Account Permissions
From: Jay Armstrong (JayArmstrong_at_discussions.microsoft.com)
Date: 03/14/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Win XP event log: Access denied"
- Previous message: Ted Jung: "Re: Win XP event log: Access denied"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Active Directory Machine Account Permissions"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Active Directory Machine Account Permissions"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Active Directory Machine Account Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 14 Mar 2005 14:25:06 -0800
Joe,
Thanks for the feedback. Unfortunately I cannot run 2.0 on my production
servers, so I will have to wait for the AD security code.
We tracked it down to a rights assignment not taking. After removing the
delegation and recreating it, the remote admins could join the machines to
the domain.
We would still like to explicitly assign the rights to the groups, but I
(still) can't find the examples you mention in the MSDN. Do you have a link?
Jay
"Joe Kaplan (MVP - ADSI)" wrote:
> Did you find a solution for this? I didn't see a reply.
>
> To modify the security descriptor in .NET 1.1, you need to do COM Interop
> with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs in
> MSDN.
>
> The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you want
> to use the beta or CTP though. :)
>
> Joe K.
>
> "Jay Armstrong" <JayArmstrong@discussions.microsoft.com> wrote in message
> news:37422076-E5D3-451A-B85F-8F73FBFD26C9@microsoft.com...
> >I am creating computer accounts from a web interface and need to set the
> > group that has the rights to join the computer to the domain (by default
> > it
> > is Domain Admins).
> >
> > I can create the accounts, and join them as a domain admin. The problem
> > arises when the local administrators who have been delagated control to
> > thier
> > OU try to join the computer to the domain. They are recieveing an Account
> > Exists error.
> >
> > This all works on my test domain with an account I have set up there, but
> > fails on the live domain.
> >
> > I want to explicity assign Full Control of the computer account object to
> > the local admins group for the OU to see if this will fix the problem.
> >
> > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
> > but
> > can't find any documentation on it. (is it part of asp 2.0?)
> >
> > Any help is appreciated,
> >
> > Jay
> >
> > Here is my creation code:
> >
> > // Create the new Object
> > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
> > SchemaName);
> >
> > // Create Computer Account
> > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
> > NewComputer.Properties["description"].Add(MachDesc);
> > NewComputer.Properties["userAccountControl"].Add(AccountControl);
> >
> > // Save Computer Account
> > NewComputer.CommitChanges();
> >
> > // Create routine to set group able to add the computer to the domain
> > // as the Designated OU Global Group
> > <!-- here is where I am having the problem -->
> >
> > NewComputer.Close();
> >
>
>
>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Win XP event log: Access denied"
- Previous message: Ted Jung: "Re: Win XP event log: Access denied"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Active Directory Machine Account Permissions"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Active Directory Machine Account Permissions"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Active Directory Machine Account Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
