Re: DSACLS and joining a domain
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 05/08/05
- Next message: Joe Richards [MVP]: "Re: Inheritable ACE doesn't inherit (code included)"
- Previous message: Joe Richards [MVP]: "Re: What permissions needed to restart service"
- In reply to: Eddie Little: "Re: DSACLS and joining a domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 08 May 2005 10:31:44 -0400
Create computer object allows the creation of the object in AD, it doesn't allow
join by default. However as mentioned later in the thread, by default, auth
users can join 10 machines.
To get the permissions needed to do the join, I would recommend manually
creating a computer account and delegating the join in ADUC and then looking at
the resulting permissions. I did this several years ago for 2K for a script I
wrote to do this stuff but I believe it may have changed for K3.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Eddie Little wrote: > By the looks of it top posting is the norm here so here we go... > > Thanks Steve, but I am a little confused. > > Is "create computer objects" a "right" that is able to be set using > something like dsacl (or even setacl)? I have a feeling I will have to > mimic this ACE with many iterations of dsacls, which has been very > inefficient for me. It takes upwards of 20 seconds to apply something like > "Reset Password" to one group for one computer object. > > Maybe there are other ways to achieve this goal? I'm sure others out there > automate the creation of computer objects and apply rights to "join the > domain" at the same time. It seems a very "normal" thing to do. I was > hoping for a simple batch file approach. Something like... > > @echo off > for /f "delims=" %%A in (comp_names.txt) do ( > dsacls "CN=%%A,OU=Computers,DC=Domain,DC=CA" /I:T /G "Domain\Add Computers > Goup:CA;Reset Password;" > dsacls... > dsacls... > ) > > I guess I will look to a PERL or VBScript solution instead. Any insight? > > Thanks, > Ed. > > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message > news:uPCXQZZUFHA.3184@TK2MSFTNGP15.phx.gbl... > >>I believe the user only needs create computer objects to join computers to >>the domain. --- Steve >> >> >>"Ed Little" <SPAMlittle_eddieME@hotmail.comNOT> wrote in message >>news:1jaee.7499$uE3.84@charlie.risq.qc.ca... >> >>>Hello, >>> >>>I am wondering what the minimum permissions needed to join a computer to > > a > >>>domain are? I would like to autocreate computer objects using dsadd, > > and > >>>them set the appropriate permissions using dsacls. Seems easy enough, > > but > >>>it is pretty slow. When adding a computer in ADUC, and specifying the >>>group/user who can join it to the domain, it seems to associated many >>>unnecessary permissions. Maybe they are all needed, but mimicing these >>>settings with dsacls takes for ever. Any ideas? >>> >>>Thanks a bunch. >>> >>>Ed >>> >> >> > >
- Next message: Joe Richards [MVP]: "Re: Inheritable ACE doesn't inherit (code included)"
- Previous message: Joe Richards [MVP]: "Re: What permissions needed to restart service"
- In reply to: Eddie Little: "Re: DSACLS and joining a domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
