Active Directory Machine Account Permissions

From: Jay Armstrong (
Date: 02/28/05

Date: Mon, 28 Feb 2005 08:53:05 -0800

I am creating computer accounts from a web interface and need to set the
group that has the rights to join the computer to the domain (by default it
is Domain Admins).

I can create the accounts, and join them as a domain admin. The problem
arises when the local administrators who have been delagated control to thier
OU try to join the computer to the domain. They are recieveing an Account
Exists error.

This all works on my test domain with an account I have set up there, but
fails on the live domain.

I want to explicity assign Full Control of the computer account object to
the local admins group for the OU to see if this will fix the problem.

I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method but
can't find any documentation on it. (is it part of asp 2.0?)

Any help is appreciated,


Here is my creation code:

// Create the new Object
DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
// Create Computer Account
NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");

// Save Computer Account
// Create routine to set group able to add the computer to the domain
// as the Designated OU Global Group
<!-- here is where I am having the problem -->