Re: DSACLS and joining a domain
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/06/05
- Previous message: Eddie Little: "Re: DSACLS and joining a domain"
- In reply to: Eddie Little: "Re: DSACLS and joining a domain"
- Next in thread: Glenn L: "Re: DSACLS and joining a domain"
- Reply: Glenn L: "Re: DSACLS and joining a domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 5 May 2005 22:44:02 -0500
Create computer objects is an special permission in Active Directory that
you will see on a container such as the domain container or an
Organizational Unit in advanced page when you add a group to or edit
permissions for a group. The user right for add workstations to the domain
will only allow a user to add ten workstations to the domain by default. A
user does not need that user right if they have the create computer objects
permission. As far as scripts you might take a look in the Windows Scripting
Center. --- Steve
"Eddie Little" <little_eddieSPAM@MEhotmail.NOTcom> wrote in message
news:W7WdnTGGhIvdI-ffRVn-sg@golden.net...
> By the looks of it top posting is the norm here so here we go...
>
> Thanks Steve, but I am a little confused.
>
> Is "create computer objects" a "right" that is able to be set using
> something like dsacl (or even setacl)? I have a feeling I will have to
> mimic this ACE with many iterations of dsacls, which has been very
> inefficient for me. It takes upwards of 20 seconds to apply something
> like
> "Reset Password" to one group for one computer object.
>
> Maybe there are other ways to achieve this goal? I'm sure others out
> there
> automate the creation of computer objects and apply rights to "join the
> domain" at the same time. It seems a very "normal" thing to do. I was
> hoping for a simple batch file approach. Something like...
>
> @echo off
> for /f "delims=" %%A in (comp_names.txt) do (
> dsacls "CN=%%A,OU=Computers,DC=Domain,DC=CA" /I:T /G "Domain\Add Computers
> Goup:CA;Reset Password;"
> dsacls...
> dsacls...
> )
>
> I guess I will look to a PERL or VBScript solution instead. Any insight?
>
> Thanks,
> Ed.
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:uPCXQZZUFHA.3184@TK2MSFTNGP15.phx.gbl...
>> I believe the user only needs create computer objects to join computers
>> to
>> the domain. --- Steve
>>
>>
>> "Ed Little" <SPAMlittle_eddieME@hotmail.comNOT> wrote in message
>> news:1jaee.7499$uE3.84@charlie.risq.qc.ca...
>> > Hello,
>> >
>> > I am wondering what the minimum permissions needed to join a computer
>> > to
> a
>> > domain are? I would like to autocreate computer objects using dsadd,
> and
>> > them set the appropriate permissions using dsacls. Seems easy enough,
> but
>> > it is pretty slow. When adding a computer in ADUC, and specifying the
>> > group/user who can join it to the domain, it seems to associated many
>> > unnecessary permissions. Maybe they are all needed, but mimicing these
>> > settings with dsacls takes for ever. Any ideas?
>> >
>> > Thanks a bunch.
>> >
>> > Ed
>> >
>>
>>
>
>
- Previous message: Eddie Little: "Re: DSACLS and joining a domain"
- In reply to: Eddie Little: "Re: DSACLS and joining a domain"
- Next in thread: Glenn L: "Re: DSACLS and joining a domain"
- Reply: Glenn L: "Re: DSACLS and joining a domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
