Re: DSACLS and joining a domain
From: Glenn L (the.only(delete)_at_gmail)
Date: 05/07/05
- Next message: Glenn L: "Re: EventID 534: User has not been granted requested logon type"
- Previous message: Glenn L: "Re: CTRL ALT DEL function disabled locally"
- In reply to: Steven L Umbach: "Re: DSACLS and joining a domain"
- Next in thread: Joe Richards [MVP]: "Re: DSACLS and joining a domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 7 May 2005 00:48:19 -0700
Just wanted to clarify something.
What really happens with this user right is the DACL check is ignored when
an authenticated user joins a workstation to the domain. This check is
ignored for up to the first ten workstations the user joins to the domain.
http://support.microsoft.com/default.aspx?scid=kb;en-us;243327
Windows will do a DACL check on the 11th attempt and enforce the DACL for
"create computer objects" permission.
-- Glenn L CCNA, MCSE 2000/2003 + Security "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message news:OLTB61eUFHA.3596@TK2MSFTNGP14.phx.gbl... > Create computer objects is an special permission in Active Directory that > you will see on a container such as the domain container or an > Organizational Unit in advanced page when you add a group to or edit > permissions for a group. The user right for add workstations to the domain > will only allow a user to add ten workstations to the domain by default. A > user does not need that user right if they have the create computer > objects permission. As far as scripts you might take a look in the Windows > Scripting Center. --- Steve > > > > "Eddie Little" <little_eddieSPAM@MEhotmail.NOTcom> wrote in message > news:W7WdnTGGhIvdI-ffRVn-sg@golden.net... >> By the looks of it top posting is the norm here so here we go... >> >> Thanks Steve, but I am a little confused. >> >> Is "create computer objects" a "right" that is able to be set using >> something like dsacl (or even setacl)? I have a feeling I will have to >> mimic this ACE with many iterations of dsacls, which has been very >> inefficient for me. It takes upwards of 20 seconds to apply something >> like >> "Reset Password" to one group for one computer object. >> >> Maybe there are other ways to achieve this goal? I'm sure others out >> there >> automate the creation of computer objects and apply rights to "join the >> domain" at the same time. It seems a very "normal" thing to do. I was >> hoping for a simple batch file approach. Something like... >> >> @echo off >> for /f "delims=" %%A in (comp_names.txt) do ( >> dsacls "CN=%%A,OU=Computers,DC=Domain,DC=CA" /I:T /G "Domain\Add >> Computers >> Goup:CA;Reset Password;" >> dsacls... >> dsacls... >> ) >> >> I guess I will look to a PERL or VBScript solution instead. Any insight? >> >> Thanks, >> Ed. >> >> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message >> news:uPCXQZZUFHA.3184@TK2MSFTNGP15.phx.gbl... >>> I believe the user only needs create computer objects to join computers >>> to >>> the domain. --- Steve >>> >>> >>> "Ed Little" <SPAMlittle_eddieME@hotmail.comNOT> wrote in message >>> news:1jaee.7499$uE3.84@charlie.risq.qc.ca... >>> > Hello, >>> > >>> > I am wondering what the minimum permissions needed to join a computer >>> > to >> a >>> > domain are? I would like to autocreate computer objects using dsadd, >> and >>> > them set the appropriate permissions using dsacls. Seems easy enough, >> but >>> > it is pretty slow. When adding a computer in ADUC, and specifying the >>> > group/user who can join it to the domain, it seems to associated many >>> > unnecessary permissions. Maybe they are all needed, but mimicing >>> > these >>> > settings with dsacls takes for ever. Any ideas? >>> > >>> > Thanks a bunch. >>> > >>> > Ed >>> > >>> >>> >> >> > >
- Next message: Glenn L: "Re: EventID 534: User has not been granted requested logon type"
- Previous message: Glenn L: "Re: CTRL ALT DEL function disabled locally"
- In reply to: Steven L Umbach: "Re: DSACLS and joining a domain"
- Next in thread: Joe Richards [MVP]: "Re: DSACLS and joining a domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
