Active Directory Machine Account Permissions

From: Jay Armstrong (JayArmstrong_at_discussions.microsoft.com)
Date: 02/28/05


Date: Mon, 28 Feb 2005 08:53:05 -0800

I am creating computer accounts from a web interface and need to set the
group that has the rights to join the computer to the domain (by default it
is Domain Admins).

I can create the accounts, and join them as a domain admin. The problem
arises when the local administrators who have been delagated control to thier
OU try to join the computer to the domain. They are recieveing an Account
Exists error.

This all works on my test domain with an account I have set up there, but
fails on the live domain.

I want to explicity assign Full Control of the computer account object to
the local admins group for the OU to see if this will fix the problem.

I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method but
can't find any documentation on it. (is it part of asp 2.0?)

Any help is appreciated,

Jay

Here is my creation code:

// Create the new Object
DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
SchemaName);
                                
// Create Computer Account
NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
NewComputer.Properties["description"].Add(MachDesc);
NewComputer.Properties["userAccountControl"].Add(AccountControl);

// Save Computer Account
NewComputer.CommitChanges();
                                
// Create routine to set group able to add the computer to the domain
// as the Designated OU Global Group
<!-- here is where I am having the problem -->
                                
NewComputer.Close();



Relevant Pages

  • Re: SMS_LAN_SENDER 3530 when installing Secondary site
    ... Did you reboot the sms server after adding it to the domain admins ... User access tokens are built during logon, ... > the computer account when I create the ...
    (microsoft.public.sms.setup)
  • Re: Domain users unable to log on domain workstation
    ... >Domain admins or local admins are able to logon, however domain users do ... >Sometimes the security log in DC shows that the computer account has a false ...
    (microsoft.public.win2000.active_directory)
  • Domain users unable to log on domain workstation
    ... there are computers that no users are able to logon. ... Domain admins or local admins are able to logon, ... Sometimes the security log in DC shows that the computer account has a false ...
    (microsoft.public.win2000.active_directory)
  • Active Directory object security
    ... is Domain Admins). ... arises when the local administrators who have been delagated control to thier ... I want to explicity assign Full Control of the computer account object to ...
    (microsoft.public.dotnet.framework.aspnet)
  • Active Directory Machine Account Permissions
    ... is Domain Admins). ... arises when the local administrators who have been delagated control to thier ... I want to explicity assign Full Control of the computer account object to ...
    (microsoft.public.dotnet.framework.aspnet.security)