Re: Rights to Join Machine to Domain an Issue?
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 05/06/03
- Previous message: Barclay Berger: "Deny Folder Creation NT4"
- In reply to: PMasters: "Re: Rights to Join Machine to Domain an Issue?"
- Next in thread: Pm: "Re: Rights to Join Machine to Domain an Issue?"
- Reply: Pm: "Re: Rights to Join Machine to Domain an Issue?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 6 May 2003 17:37:50 -0400
I agree and that was what I was intending to say. I actually posted code in one of these groups in recent days
concerning how to do this.
You seemed to have listed two options.
1. Give the ability to create and... <I would stop you at that point, be tight on who gets to create anything>
2. Give out only the 4 specified perms... This is what we did for servers in our environment.
-- Joe Richards www.joeware.net -- "PMasters" <Pmaster@kea.com> wrote in message news:083901c313d4$71ac7d30$a101280a@phx.gbl... > Hmmm, > They will not be able to create, because they do not have > rights to the default "Computer" container. And they are > given rights only to the One Machine name. > I am worried about giving it to a group, and giving them > rights to add any machine name they like. I prefer to have > the Admin create the machine name, give a single user > rights to join it, and limit it that way. > Ah well.... > thanks > > > >-----Original Message----- > >Well if they have create/join then they become > creator/owners so they would actually have FC over the > computer objects. > >Giving the limited set of permissions just gives them > those permissions. I would recommend giving those > permissions to > >the specific group or people doing the joins, giving them > to authenticated users or everyone could prove dangerous. > > > >-- > >Joe Richards > >www.joeware.net > > > >-- > > > >"Paul Masters" <PMasters@kea.com> wrote in message > news:011f01c31332$7223d7b0$a401280a@phx.gbl... > >> Big debate going on here... > >> On the subject of Joining Machines to a 2000 Domain/A.D. > >> One party wants to give the users the Four additional > >> permissions to join one specific machine name to the > >> domain... > >> 1. Reset Password, 2. Validated Write to DNS host name > >> 3. Validated write to Service Principal Name > >> and 4. Write Account Restrictions. > >> Do four additional rights grant an ID an more power to > >> pose more of a threat than usual. And if yes, is there > any > >> documentation on it. > >> The other school of thought is to provide I.T Techs the > >> power to create and join, more risky in my opinion. > >> Let me know... > >> Thanks.... > >> > > > > > >. > >
- Previous message: Barclay Berger: "Deny Folder Creation NT4"
- In reply to: PMasters: "Re: Rights to Join Machine to Domain an Issue?"
- Next in thread: Pm: "Re: Rights to Join Machine to Domain an Issue?"
- Reply: Pm: "Re: Rights to Join Machine to Domain an Issue?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
