Re: Allow users to change Description attribute for computer accou
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 07/12/05
- Next message: Steven L Umbach: "Re: Can not migrate profile settings"
- Previous message: Steven L Umbach: "Re: How to disable/prevent p2p bittorent ?"
- In reply to: rickb: "Re: Allow users to change Description attribute for computer accou"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Jul 2005 12:56:58 -0500
That is more difficult. There is no wizard to "undo" delegation of
authority. You would have to manually change the permissions on the AD
object. It may help to computer permissions to a container/OU that has not
had its default permissions changed. The command line tool dsacls can be
used to restrore default permissions to an object. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 --- Dsacls.
Works same for W2003.
"rickb" <rickb@discussions.microsoft.com> wrote in message
news:AF61D8E5-E240-4EE0-A6B3-7335F3E382E4@microsoft.com...
> Awesome. I guess I should have mentioned that I'm running Windows 2003
> sp1.
> So, there's an option when you right click to delegate control. In my
> test
> lab, I granted Domain Users the authority to read/write descriptions on
> Computer objects only. But I am under the assumption that it isn't the
> greatest idea to use Built-in groups for delegation. I can easily create
> a
> new group and throw all users in it and go about it that way.
>
> How do you remove delegation if you decide it isn't working correctly or
> you
> used an incorrect group?
> -Rick
>
> "Steven L Umbach" wrote:
>
>> By default a regular user can join a computer to the domain up to ten
>> times.
>> You can permanently give a user the ability to join computers to the
>> domain
>> by giving a users group create computer objects permission on the domain
>> or
>> computers container. This is called delegation of authority. You can
>> right
>> click the domain or a container and select delegate control to start the
>> delegation wizard which has preset categories or you can create custom
>> ones.
>> The delegation wizard simply changes AD permissions on the object. You
>> also
>> for instance could select a container, right click
>> properties/security/advanced and then add or edit permissions. Then
>> select
>> apply onto computer object and look for the needed permissions in the
>> object
>> or properties tab. I believe read/write description is in the properties
>> tab. --- Steve
>>
>>
>> "rickb" <rickb@discussions.microsoft.com> wrote in message
>> news:B5205AD6-C197-422E-B8FC-00C535F4D31B@microsoft.com...
>> > Windows 2003 AD.
>> >
>> > All computer names are similar and are incremented by number 0001-9999.
>> >
>> > I found a script on technet from the scripting guys. Script works fine
>> > for
>> > me (I'm a domain admin), but fails for other users. The second part to
>> > the
>> > article was to give the users permissions to change the Description
>> > attribute. I don't necessarily want to give them the keys to the
>> > kingdom
>> > to
>> > accomplish this. Is this the group policy that allows the user to join
>> > the
>> > domain? can anyone shed some light?
>> >
>> > here's a link to the article:
>> > http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0429.mspx
>> >
>> >
>>
>>
>>
- Next message: Steven L Umbach: "Re: Can not migrate profile settings"
- Previous message: Steven L Umbach: "Re: How to disable/prevent p2p bittorent ?"
- In reply to: rickb: "Re: Allow users to change Description attribute for computer accou"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
