Seeing as that's the default container for creating computer accounts, and the only place those accounts will go when created by a machine joining the domain, I don't see that you're going to achieve what you want.
Any reason you can't just script something to move all undesirable accounts out of that OU? -------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Greg Felzer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 26, 2003 3:33 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Remove the ability to create > computer accounts in the computer container > > > Wouldn't this prevent all users from creating computer > accounts? I do not want to prevent them from creating them, > just prevent them from creating them in the computers container. > > Greg Felzer > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Sullivan, Kevin > Sent: Wednesday, February 26, 2003 11:47 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Remove the ability to create > computer accounts in the computer container > > You may want to look into changing the default > msDS-MachineAccountQuota. This setting allows any user to > create 10 computer accounts by default. You can change this > via a script, LDP or ADSI edit. If you change the default > value to 0 then your delegation model will probably work but > the default behavior will be changed. > > It may work... > > Keivn > > -----Original Message----- > From: Greg Felzer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 26, 2003 11:28 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Remove the ability to create computer > accounts in the computer container > > Hello, > > Maybe the collective minds here can come up with something..... > > I have given a group (Join Computers to the Domain group) the > rights to join computers to the domain through the Default > Domain policy. Only this group has rights to join computers > to the domain. > > I have created a web page that creates a computer account (it > checks first to make sure the computer account does not > exist) base upon department specific input from the user. > Once the account is created the user names his computer the > same as the computer account and joins the domain. > > The problem I am having is that some of the user that are > members of the Join Computers to the Domain group are not > using the web page. They are using "My network place", > advanced, network identification.....ect to join the domain. > This creates a computer account in the computer container. > When this happens I get a computer account showing up in the > computer container that I do not know what department it belongs to. > > My solution (that does not work) was to remove all rights > (including System > rights) to the computer container. I figured without rights > they would not be able to create the computer accounts. This > did not work so I denied the ability to create all child > objects for the Join computers group in the Computers > Container. This did not work so I denied the right for > Everyone. Also did not work. > > Any ideas on how to prevent all users from creating computer > objects in the computers container? > > Thanks > Greg > > > > Greg Felzer > MCSE NT4, MCSE 2000, CCA, CCNA, CNA > Senior Systems Engineer > Center for Computing and Information Technology > Medical University of South Carolina > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
