Re: DSACLS and joining a domain

From: Eddie Little (little_eddieSPAM_at_MEhotmail.NOTcom)
Date: 05/06/05 

Date: Thu, 5 May 2005 20:45:01 -0400

By the looks of it top posting is the norm here so here we go...

Thanks Steve, but I am a little confused.

Is "create computer objects" a "right" that is able to be set using
something like dsacl (or even setacl)? I have a feeling I will have to
mimic this ACE with many iterations of dsacls, which has been very
inefficient for me. It takes upwards of 20 seconds to apply something like
"Reset Password" to one group for one computer object.

Maybe there are other ways to achieve this goal? I'm sure others out there
automate the creation of computer objects and apply rights to "join the
domain" at the same time. It seems a very "normal" thing to do. I was
hoping for a simple batch file approach. Something like...

@echo off
for /f "delims=" %%A in (comp_names.txt) do (
dsacls "CN=%%A,OU=Computers,DC=Domain,DC=CA" /I:T /G "Domain\Add Computers
Goup:CA;Reset Password;"
dsacls...
dsacls...
)

I guess I will look to a PERL or VBScript solution instead. Any insight?

Thanks,
Ed.

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uPCXQZZUFHA.3184@TK2MSFTNGP15.phx.gbl...
> I believe the user only needs create computer objects to join computers to
> the domain. --- Steve
>
>
> "Ed Little" <SPAMlittle_eddieME@hotmail.comNOT> wrote in message
> news:1jaee.7499$uE3.84@charlie.risq.qc.ca...
> > Hello,
> >
> > I am wondering what the minimum permissions needed to join a computer to
a
> > domain are? I would like to autocreate computer objects using dsadd,
and
> > them set the appropriate permissions using dsacls. Seems easy enough,
but
> > it is pretty slow. When adding a computer in ADUC, and specifying the
> > group/user who can join it to the domain, it seems to associated many
> > unnecessary permissions. Maybe they are all needed, but mimicing these
> > settings with dsacls takes for ever. Any ideas?
> >
> > Thanks a bunch.
> >
> > Ed
> >
>
>

Relevant Pages

  • Re: DSACLS and joining a domain
    ... I believe the user only needs create computer objects to join computers to ... > I am wondering what the minimum permissions needed to join a computer to a ... > them set the appropriate permissions using dsacls. ...
    (microsoft.public.win2000.security)
  • Re: DSACLS and joining a domain
    ... Create computer object allows the creation of the object in AD, ... To get the permissions needed to do the join, ... > automate the creation of computer objects and apply rights to "join the ... >>>them set the appropriate permissions using dsacls. ...
    (microsoft.public.win2000.security)
  • Re: Delegation in AD not working
    ... That is why I wanted dsacls, it is the most accurate display of what is going on ... permissions tab so anything applied to an OU will not impact one of these IDs ... > CHILD ...
    (microsoft.public.win2000.active_directory)
  • Re: Audit exchange 2000 permission
    ... You can use ADSIedit (or AD Users and Computers snap-in in "Advanced" mode, ... are laid out and you can then look at permissions on each object. ... allows you to specify a given object in the AD (such as the Exchange ... commands into DSACLS. ...
    (microsoft.public.exchange2000.general)
  • Re: Win2k - Account Operator not working properly
    ... Verified new user has no special group memberships (only default ... Verified that the new user account can modify objects at the top level OU ... Ran DSACLS on the top level OU and received the following output (only ... are there some required permissions missing? ...
    (microsoft.public.windows.server.active_directory)