The user will need to be an admin on the computer itself. I know of no way
around that.
In AD if using the GUI, simply spepcify the person or group that can do the
join when creating the object.
If creating the machine acount via script, delegate the following to the
computer:
Write Account Restrictions
Write Service Principal Name
Write DNS Host Name
Reset Password
Here is some perl code for that little piece that I use to write acl's to an
OU for that purpose.
#
# Write Account Restrictions on computer
#
if ($debug) {print " Setting $securitygroup with Write Account
Restrictions on Computers...\n"};
$ace = Win32::OLE->CreateObject("AccessControlEntry");
$ace->{Trustee}=$securitygroup;
$ace->{ObjectType}="{4C164200-20C0-11D0-A768-00AA006E0529}";
# Account Restrictions
$ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}";
# computer
$ace->{AccessMask}=32;
$ace->{Flags}=3;
$ace->{AceType}=5;
$ace->{aceflags}=10;
$dACL->AddAce($ace);
undef $ace;
#
# Validated Write Service Principal Name on computer
#
if ($debug) {print " Setting $securitygroup with Write
servicePrincipalName on Computers...\n"};
$ace = Win32::OLE->CreateObject("AccessControlEntry");
$ace->{Trustee}=$securitygroup;
$ace->{ObjectType}="{F3A64788-5306-11D1-A9C5-0000F80367C1}";
# servicePrincipalName
$ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}";
# computer
$ace->{AccessMask}=8;
$ace->{Flags}=3;
$ace->{AceType}=5;
$ace->{aceflags}=10;
$dACL->AddAce($ace);
undef $ace;
#
# Validated Write dNSHostName on computer
#
if ($debug) {print " Setting $securitygroup with Write dNSHostName on
Computers...\n"};
$ace = Win32::OLE->CreateObject("AccessControlEntry");
$ace->{Trustee}=$securitygroup;
$ace->{ObjectType}="{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}";
# dNSHostName
$ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}";
# computer
$ace->{AccessMask}=8;
$ace->{Flags}=3;
$ace->{AceType}=5;
$ace->{aceflags}=10;
$dACL->AddAce($ace);
undef $ace;
#
# Reset Password on computer
#
if ($debug) {print " Setting $securitygroup with Reset Password on
Computers...\n"};
$ace = Win32::OLE->CreateObject("AccessControlEntry");
$ace->{Trustee}=$securitygroup;
$ace->{ObjectType}="{00299570-246D-11D0-A768-00AA006E0529}";
# Reset Password
$ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}";
# computer
$ace->{AccessMask}=256;
$ace->{Flags}=3;
$ace->{AceType}=5;
$ace->{aceflags}=10;
$dACL->AddAce($ace);
undef $ace;
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of fact hunter
Sent: Wednesday, October 22, 2003 10:39 AM
To: [EMAIL PROTECTED]
I want to allow a low level user to join a computer to the domain only when
the computer account has been pre-populated as a new account or the account
has been reset in the case of a reimage. However, I do not want them to be
able to overwrite computer accounts that are in use.
Any help is appreciated.
Ama
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
