Re: Allow users to change Description attribute for computer accou

From: rickb (rickb_at_discussions.microsoft.com)
Date: 07/12/05 

Date: Tue, 12 Jul 2005 07:06:07 -0700

Awesome. I guess I should have mentioned that I'm running Windows 2003 sp1.
So, there's an option when you right click to delegate control. In my test
lab, I granted Domain Users the authority to read/write descriptions on
Computer objects only. But I am under the assumption that it isn't the
greatest idea to use Built-in groups for delegation. I can easily create a
new group and throw all users in it and go about it that way.

How do you remove delegation if you decide it isn't working correctly or you
used an incorrect group?
-Rick

"Steven L Umbach" wrote:

> By default a regular user can join a computer to the domain up to ten times.
> You can permanently give a user the ability to join computers to the domain
> by giving a users group create computer objects permission on the domain or
> computers container. This is called delegation of authority. You can right
> click the domain or a container and select delegate control to start the
> delegation wizard which has preset categories or you can create custom ones.
> The delegation wizard simply changes AD permissions on the object. You also
> for instance could select a container, right click
> properties/security/advanced and then add or edit permissions. Then select
> apply onto computer object and look for the needed permissions in the object
> or properties tab. I believe read/write description is in the properties
> tab. --- Steve
>
>
> "rickb" <rickb@discussions.microsoft.com> wrote in message
> news:B5205AD6-C197-422E-B8FC-00C535F4D31B@microsoft.com...
> > Windows 2003 AD.
> >
> > All computer names are similar and are incremented by number 0001-9999.
> >
> > I found a script on technet from the scripting guys. Script works fine
> > for
> > me (I'm a domain admin), but fails for other users. The second part to
> > the
> > article was to give the users permissions to change the Description
> > attribute. I don't necessarily want to give them the keys to the kingdom
> > to
> > accomplish this. Is this the group policy that allows the user to join
> > the
> > domain? can anyone shed some light?
> >
> > here's a link to the article:
> > http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0429.mspx
> >
> >
>
>
>

Relevant Pages

  • Re: Delegated permission to add computers
    ... Delegated permissions on the Computers container to a specific global ... I went to the security tab of the Computers container and verified the ... I then added the following permission for computer objects in the ... >> objects as a custom delegation task. ...
    (microsoft.public.windows.server.active_directory)
  • Re: delegating administrative access
    ... the DC is pointing to itself for DNS. ... >> delegation on and choose properties. ... >> Create Computer Objects ... >>> I want to delegate admin tasks to a jr admin. ...
    (microsoft.public.win2000.active_directory)
  • Help with proper delegation settings
    ... tool; Launching the Delegation Wizard; Created a Custom Task to Delegate; ... Only the following Objects and selected computer objects and checked off the ... The users can add accounts to the domain just fine; but we are in the midst ... so they can conform to the naming standards... ...
    (microsoft.public.windows.server.active_directory)
  • Re: Trying to use NetJoinDomain API...
    ... Nope I used the delegation wizard to set ACLs, and I also went in and added ... These are the permissions granted to the group, ... Computer Objects ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation of permission to join domain
    ... delegation wizard, your template would look something like... ... >the computer accounts are to a group called desktop support. ... > Change Password ... > Create Computer Objects ...
    (microsoft.public.windows.server.general)