AH... Didn't think someone would try that but it is valid. I don't have a lab to test right this second, but I think I would start with removing the reset password and see if that buys anything.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ama Hanjef Sent: Thursday, October 23, 2003 11:38 AM To: [EMAIL PROTECTED] Joe, Thanks for the reply. The users are admins on the computer, thats not a problem. The problem we are having with delegating Write Account Restrictions, Write Service Principal Name, Write DNS Host Name and Reset Password perms is that the users/workstation techs can join a computer to the domain with the same name as a computer that already exists, thus disjoining the first computer. We are looking to make is necesary that a Domain Admin reset the computer account before the users/workstation techs can join that computer. --- Joe <[EMAIL PROTECTED]> wrote: > The user will need to be an admin on the computer itself. I know of no > way around that. > > In AD if using the GUI, simply spepcify the person or group that can > do the join when creating the object. > > If creating the machine acount via script, delegate the following to > the > computer: > > Write Account Restrictions > Write Service Principal Name > Write DNS Host Name > Reset Password > > > Here is some perl code for that little piece that I use to write acl's > to an OU for that purpose. > > # > # Write Account Restrictions on computer > # > if ($debug) {print " Setting $securitygroup with Write Account > Restrictions on Computers...\n"}; > $ace = > Win32::OLE->CreateObject("AccessControlEntry"); > $ace->{Trustee}=$securitygroup; > > $ace->{ObjectType}="{4C164200-20C0-11D0-A768-00AA006E0529}"; > # Account Restrictions > > $ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}"; > # computer > $ace->{AccessMask}=32; > $ace->{Flags}=3; > $ace->{AceType}=5; > $ace->{aceflags}=10; > $dACL->AddAce($ace); > undef $ace; > > > # > # Validated Write Service Principal Name on computer > # > if ($debug) {print " Setting $securitygroup with Write > servicePrincipalName on Computers...\n"}; > $ace = > Win32::OLE->CreateObject("AccessControlEntry"); > $ace->{Trustee}=$securitygroup; > > $ace->{ObjectType}="{F3A64788-5306-11D1-A9C5-0000F80367C1}"; > # servicePrincipalName > > $ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}"; > # computer > $ace->{AccessMask}=8; > $ace->{Flags}=3; > $ace->{AceType}=5; > $ace->{aceflags}=10; > $dACL->AddAce($ace); > undef $ace; > > > # > # Validated Write dNSHostName on computer > # > if ($debug) {print " Setting $securitygroup with Write > dNSHostName on Computers...\n"}; > $ace = > Win32::OLE->CreateObject("AccessControlEntry"); > $ace->{Trustee}=$securitygroup; > > $ace->{ObjectType}="{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}"; > # dNSHostName > > $ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}"; > # computer > $ace->{AccessMask}=8; > $ace->{Flags}=3; > $ace->{AceType}=5; > $ace->{aceflags}=10; > $dACL->AddAce($ace); > undef $ace; > > > # > # Reset Password on computer > # > if ($debug) {print " Setting $securitygroup with Reset Password > on Computers...\n"}; > $ace = > Win32::OLE->CreateObject("AccessControlEntry"); > $ace->{Trustee}=$securitygroup; > > $ace->{ObjectType}="{00299570-246D-11D0-A768-00AA006E0529}"; > # Reset Password > > $ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}"; > # computer > $ace->{AccessMask}=256; > $ace->{Flags}=3; > $ace->{AceType}=5; > $ace->{aceflags}=10; > $dACL->AddAce($ace); > undef $ace; > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of fact hunter > Sent: Wednesday, October 22, 2003 10:39 AM > To: [EMAIL PROTECTED] > > I want to allow a low level user to join a computer to the domain only > when the computer account has been pre-populated as a new account or > the account has been reset in the case of a reimage. However, I do not > want them to be able to overwrite computer accounts that are in use. > > Any help is appreciated. > > Ama > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
