Re: Allow users to change Description attribute for computer account
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 07/12/05
- Next message: J*A*N*E*L*L*E*: "W32/Startpage.TK"
- Previous message: razor: "Re: *Need Help* With the Best Practice for Changing Admin Account"
- In reply to: rickb: "Allow users to change Description attribute for computer account"
- Next in thread: rickb: "Re: Allow users to change Description attribute for computer accou"
- Reply: rickb: "Re: Allow users to change Description attribute for computer accou"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 11 Jul 2005 18:13:00 -0500
By default a regular user can join a computer to the domain up to ten times.
You can permanently give a user the ability to join computers to the domain
by giving a users group create computer objects permission on the domain or
computers container. This is called delegation of authority. You can right
click the domain or a container and select delegate control to start the
delegation wizard which has preset categories or you can create custom ones.
The delegation wizard simply changes AD permissions on the object. You also
for instance could select a container, right click
properties/security/advanced and then add or edit permissions. Then select
apply onto computer object and look for the needed permissions in the object
or properties tab. I believe read/write description is in the properties
tab. --- Steve
"rickb" <rickb@discussions.microsoft.com> wrote in message
news:B5205AD6-C197-422E-B8FC-00C535F4D31B@microsoft.com...
> Windows 2003 AD.
>
> All computer names are similar and are incremented by number 0001-9999.
>
> I found a script on technet from the scripting guys. Script works fine
> for
> me (I'm a domain admin), but fails for other users. The second part to
> the
> article was to give the users permissions to change the Description
> attribute. I don't necessarily want to give them the keys to the kingdom
> to
> accomplish this. Is this the group policy that allows the user to join
> the
> domain? can anyone shed some light?
>
> here's a link to the article:
> http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0429.mspx
>
>
- Next message: J*A*N*E*L*L*E*: "W32/Startpage.TK"
- Previous message: razor: "Re: *Need Help* With the Best Practice for Changing Admin Account"
- In reply to: rickb: "Allow users to change Description attribute for computer account"
- Next in thread: rickb: "Re: Allow users to change Description attribute for computer accou"
- Reply: rickb: "Re: Allow users to change Description attribute for computer accou"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
