Ms-DS-MachineAccountQuota is set on the domain only. In ADSIEdit, select the properties of the domain, find ms-ds-machineAccountQuota in the properties list box.
It appears that this is tracked by the ms-ds-CreatorSID attribute of the computer object. Also, just to split hairs (sorry), the process of "Join Computer to Domain" is different and requires different privileges than "creating computer account". Obviously the "JCtD" would be very helpful if you have pre-staged all of your computer accounts. It appears that you are really interested in creating computer accounts via your web-page. With this said, depending on other extenuating circumstances such as politics etc. set the ms-DS-MachineAccountQuota to 0 and then delegate the ability to create computer accounts to the appropriate groups to the appropriate OUs. To fully benefit from secure delegation and avoid lots of unnecessary ACLs in your directory you may want to look at third party solutions. There are different ways to make this process much easier. For a quick example, give someone the ability to "Join Computers to domain" on an OU and then go and look at the ACL. Delegation is very powerful yet complex and some third parties have made the whole thing a lot easier. (feel free to ask me offline for specifics, or other reps from third parties that peruse these groups) Kevin Aelita -----Original Message----- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container The web script authenticates against AD and checks for group membership in the "Join Computer to the Domain" group. If they are members of the group they are allowed to create the computer account. Their userid is used for the creation of the computer account. This group (Join Computer to the Domain) is allowed to create computer accounts in the appropriate OU and is denied 'create all child objects' in the computer container (which does not prevent them from creating the computer account). Unless I can set the msDS-MachineAccountQuota on the computer container to prevent everyone from creating computer accounts in this container the user would still be able to create a computer account in the computer container by joining the domain using 'My Network Places". BTW I cannot find the msDS-MachineAccountQuota property using ADSI edit, set to show all properties on any of my user accounts or on the computer container. What object type is the msDS-MachineAccountQuota property available for? Thanks, Greg Felzer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr AFRL/VSIO Sent: Wednesday, February 26, 2003 3:40 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container Greg, If you restrict it so that no one except the user your web script runs as can create accts and are specifying the container in your script, then they will still be able to create accts, they will just be forced to use your web script to do so. This would achive your stated goal, wouldn't it? -----Original Message----- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 1:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container Wouldn't this prevent all users from creating computer accounts? I do not want to prevent them from creating them, just prevent them from creating them in the computers container. Greg Felzer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sullivan, Kevin Sent: Wednesday, February 26, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container You may want to look into changing the default msDS-MachineAccountQuota. This setting allows any user to create 10 computer accounts by default. You can change this via a script, LDP or ADSI edit. If you change the default value to 0 then your delegation model will probably work but the default behavior will be changed. It may work... Keivn -----Original Message----- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remove the ability to create computer accounts in the computer container Hello, Maybe the collective minds here can come up with something..... I have given a group (Join Computers to the Domain group) the rights to join computers to the domain through the Default Domain policy. Only this group has rights to join computers to the domain. I have created a web page that creates a computer account (it checks first to make sure the computer account does not exist) base upon department specific input from the user. Once the account is created the user names his computer the same as the computer account and joins the domain. The problem I am having is that some of the user that are members of the Join Computers to the Domain group are not using the web page. They are using "My network place", advanced, network identification.....ect to join the domain. This creates a computer account in the computer container. When this happens I get a computer account showing up in the computer container that I do not know what department it belongs to. My solution (that does not work) was to remove all rights (including System rights) to the computer container. I figured without rights they would not be able to create the computer accounts. This did not work so I denied the ability to create all child objects for the Join computers group in the Computers Container. This did not work so I denied the right for Everyone. Also did not work. Any ideas on how to prevent all users from creating computer objects in the computers container? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
