Joe,
Thanks for the reply.
The users are admins on the computer, thats not a
problem.
The problem we are having with delegating Write
Account Restrictions, Write Service Principal Name,
Write DNS Host Name and Reset Password perms is that
the users/workstation techs can join a computer to the
domain with the same name as a computer that already
exists, thus disjoining the first computer.
We are looking to make is necesary that a Domain Admin
reset the computer account before the
users/workstation techs can join that computer.
--- Joe <[EMAIL PROTECTED]> wrote:
> The user will need to be an admin on the computer
> itself. I know of no way
> around that.
>
> In AD if using the GUI, simply spepcify the person
> or group that can do the
> join when creating the object.
>
> If creating the machine acount via script, delegate
> the following to the
> computer:
>
> Write Account Restrictions
> Write Service Principal Name
> Write DNS Host Name
> Reset Password
>
>
> Here is some perl code for that little piece that I
> use to write acl's to an
> OU for that purpose.
>
> #
> # Write Account Restrictions on computer
> #
> if ($debug) {print " Setting $securitygroup
> with Write Account
> Restrictions on Computers...\n"};
> $ace =
> Win32::OLE->CreateObject("AccessControlEntry");
> $ace->{Trustee}=$securitygroup;
>
>
$ace->{ObjectType}="{4C164200-20C0-11D0-A768-00AA006E0529}";
> # Account Restrictions
>
>
$ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}";
> # computer
> $ace->{AccessMask}=32;
> $ace->{Flags}=3;
> $ace->{AceType}=5;
> $ace->{aceflags}=10;
> $dACL->AddAce($ace);
> undef $ace;
>
>
> #
> # Validated Write Service Principal Name on
> computer
> #
> if ($debug) {print " Setting $securitygroup
> with Write
> servicePrincipalName on Computers...\n"};
> $ace =
> Win32::OLE->CreateObject("AccessControlEntry");
> $ace->{Trustee}=$securitygroup;
>
>
$ace->{ObjectType}="{F3A64788-5306-11D1-A9C5-0000F80367C1}";
> # servicePrincipalName
>
>
$ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}";
> # computer
> $ace->{AccessMask}=8;
> $ace->{Flags}=3;
> $ace->{AceType}=5;
> $ace->{aceflags}=10;
> $dACL->AddAce($ace);
> undef $ace;
>
>
> #
> # Validated Write dNSHostName on computer
> #
> if ($debug) {print " Setting $securitygroup
> with Write dNSHostName on
> Computers...\n"};
> $ace =
> Win32::OLE->CreateObject("AccessControlEntry");
> $ace->{Trustee}=$securitygroup;
>
>
$ace->{ObjectType}="{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}";
> # dNSHostName
>
>
$ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}";
> # computer
> $ace->{AccessMask}=8;
> $ace->{Flags}=3;
> $ace->{AceType}=5;
> $ace->{aceflags}=10;
> $dACL->AddAce($ace);
> undef $ace;
>
>
> #
> # Reset Password on computer
> #
> if ($debug) {print " Setting $securitygroup
> with Reset Password on
> Computers...\n"};
> $ace =
> Win32::OLE->CreateObject("AccessControlEntry");
> $ace->{Trustee}=$securitygroup;
>
>
$ace->{ObjectType}="{00299570-246D-11D0-A768-00AA006E0529}";
> # Reset Password
>
>
$ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}";
> # computer
> $ace->{AccessMask}=256;
> $ace->{Flags}=3;
> $ace->{AceType}=5;
> $ace->{aceflags}=10;
> $dACL->AddAce($ace);
> undef $ace;
>
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of fact hunter
> Sent: Wednesday, October 22, 2003 10:39 AM
> To: [EMAIL PROTECTED]
>
> I want to allow a low level user to join a computer
> to the domain only when
> the computer account has been pre-populated as a new
> account or the account
> has been reset in the case of a reimage. However, I
> do not want them to be
> able to overwrite computer accounts that are in use.
>
> Any help is appreciated.
>
> Ama
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product
> search
> http://shopping.yahoo.com
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
>
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
