Hi,
Using the delegation of control wizard you can delegate the creation of
computer accounts to the domain. This does not mean the same user/group can
also JOIN the computer to the domain. In the DELEGWIZ.INF file (%WINDIR%\INF)
look at template 6.....
By default the "AppliesToClasses" is set to "domainDNS" (case sensitive and
without quotes) With this you can only delegate computer account creation at
domain level. Change that to "domainDNS,organizationalUnit,container" (case
sensitive and without quotes) and yuo will be able to delegate at OU level
If you delegate the creation of computer accounts to a group (e.g.
GROUP-CREATE-COMPOBJ), the member of that group that creates the computer
becomes the owner of the computer account and automatically receives the right
to join a computer with that name to the domain. The other members of that
group will not be able to join the computer to the domain. In this case only
the user that created the computer account will be able to join the computer.
Lets say you have another group called GROUP-JOIN-COMP that is allowed to join
(not create computer accounts) to the domain, the user who creates the computer
account has the possibility to designate which user or group gets the rights to
join the computer to the domain with the option ("The following group or user
can join this computer to a domain" and this is by default Domain Admins group)
The group mentioned in that option will be able to join the computer to the
domain. In my opinion that is a lot of work just to create a computer computer
account and join it.
It is however possible to pre-configure the option called "The following group
or user can join this computer to a domain and this is by default Domain Admins
group"
Add to the DELEGWIZ.INF file (%WINDIR%\INF) a NEW template you can use to
delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the creation of
computer accounts) The minimum rights are mentioned below!
REPLACE THE X with a NUMBER!
;----------------------------------------------------------
[templateX]
AppliesToClasses = domainDNS,organizationalUnit,container
Description = "Join a computer to the domain in an OU (computer account
pre-created)"
ObjectTypes = computer
[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated
write to service principal name", "Account Restrictions"
;----------------------------------------------------------
This way you can delegate the creation of computer accounts to group1 and the
joining of the computers to group2.
It is also however possible you have a group of people who create computers
accounts and also join them. To able so everyone in that group can create a
computer accounts and join the computers to the domain independent who created
the computer accounts replace TEMPLATE 6 with what is mentioned below or
perform the delegate twice with the additional task created above! If you want
to join a computer to the domain in a specific OU and the computer account has
not been pre-created you cannot use the GUI at the computer. For this you must
use the tool NETDOM so you can specify the OU the computer account must reside
in! The latter only is only possible when you at least have the right to create
a computer object in the designated OU. Joining will also be possible because
you automatically become the owner of the computer account!
;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS,organizationalUnit,container
Description = "Add and/or join a computer to the domain in an OU (computer)"
ObjectTypes = SCOPE, computer
[template6.SCOPE]
;Right to create computer objects
computer=CC
[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated
write to service principal name", "Account Restrictions"
;----------------------------------------------------------
Cheers,
#JORGE#
________________________________
From: [EMAIL PROTECTED] on behalf of TIROA YANN
Sent: Fri 7/1/2005 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Permission to Join a pc to domain.
Hi,
Just a information...
I have denied all users (authenticated users) to join computer in the
domain thanks to the "Default Domain Controler Policy" GPO, and that
work fine. I do this to avoid authenticated users to create PCs in the
"Computers" container, and force admin to manage their own computers,
that is to say create and join to domain.
So i grant each admin Full Control of their OU and childs objects,
because they also need such rights to manage others objects.
Admin can then create their Computers object in their OU, but my
question is: are they able and have the rights to join their own
computer to domain ?
By default, when they create the computer objects in their OU, the
wizard says "The following group or user can join this computer to a
domain" and this is by default Domain Admins group.....
Thanks
Cheers,
Yann
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
