That 10 rule is governed by the ms-ds-machineAccountQuota attribute of the default partition. If the value isn't set the default is 10. Personally for those who want control of their environment I recommend setting that value to 0. Note that the error message a person will get when joining when that value is set to 0 and they don't have a precreated account is the same "exceeded quota" message. That is a small point of confusion in our environment when a new admin forgets to precreate the account before attempting the join.



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Schut
Sent: Friday, September 19, 2003 6:16 PM
To: [EMAIL PROTECTED]

I have experienced the same problem, if local site admin are joining computer objects to the domain, I will not join it in the OU were the admin has delegated rights.

 

A work around (did not find another solution yet) to this problem is to let the local admin create the computer objects in advanced in the respective OU, and then the local admin can join the computer accounts to the domain with no problems.

 

Another issue arises with this is, when the admin has done this without creating the computer object in advance is the 10x joining rule.

 

This article was previously published under Q251335

 

Windows 2000 grants the "Add workstations to domain" privilege to the Authenticated Users group by default. When this privilege is enabled, authenticated users can bypass the access control list (ACL) check for up to a predefined maximum value. To prevent misuse, the maximum number of machine accounts any authenticated user can join is 10 by default.

 

Because the admin only has rights on the OU were he or she has delegated rights on, he or she can create as much computer objects as necessary within that OU. But if the object is joined to the domain and is placed in the built-in computers container the above mentioned rule will be executed.

 

 

Regards,

 

Dennis Schut - MCP - MCSA 2K & 2K3 - MCSAS - MCSE - MCSES

Technical Consultant

 

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, September 19, 2003 22:16
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Add computers to domain permissions

 

 

We have many remote sites and an OU for each remote site.  We're delegating

our site admins permissions to their site Ous, and creating security group

restriction policies to grant them local admin permissions on their user's

desktops.

 

The problem we're having is the site admins can't join new PCs to the

domain.  A Microsoft TS told us that AD will automatically add a PC to an OU

that you have rights to, but this doesn't seem to be the case.  It appears

it's trying to add it to the builtin computers container instead, and the

site admins don't have rights to that.

 

How do we solve this?  Is there some type of a script that we need to be

using to do this?  We don't want to use RIS.  We want all our remote sites

to be able to join computers to their OU at will.

 

Thanks

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This e-mail is confidential, may contain proprietary information

of the Cooper Cameron Corporation and its operating Divisions

and may be confidential or privileged.

 

This e-mail should be read, copied, disseminated and/or used only

by the addressee. If you have received this message in error please

delete it, together with any attachments, from your system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

List info   : http://www.activedir.org/mail_list.htm

List FAQ    : http://www.activedir.org/list_faq.htm

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 

Reply via email to