Tried that. I get "access denied" when joining the domain, even after reseting account in ADUC. I even tried delegating, Change Password.
Do you know a way to turn on logging or debugging to find out what attempted action (when joining the domain) is failing and causing the access denied? --- Joe <[EMAIL PROTECTED]> wrote: > AH... Didn't think someone would try that but it is > valid. I don't have a > lab to test right this second, but I think I would > start with removing the > reset password and see if that buys anything. > > joe > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Ama Hanjef > Sent: Thursday, October 23, 2003 11:38 AM > To: [EMAIL PROTECTED] > > Joe, > Thanks for the reply. > The users are admins on the computer, thats not a > problem. > > The problem we are having with delegating Write > Account Restrictions, Write > Service Principal Name, Write DNS Host Name and > Reset Password perms is that > the users/workstation techs can join a computer to > the domain with the same > name as a computer that already exists, thus > disjoining the first computer. > We are looking to make is necesary that a Domain > Admin reset the computer > account before the users/workstation techs can join > that computer. > > > > > > > --- Joe <[EMAIL PROTECTED]> wrote: > > The user will need to be an admin on the computer > itself. I know of no > > way around that. > > > > In AD if using the GUI, simply spepcify the person > or group that can > > do the join when creating the object. > > > > If creating the machine acount via script, > delegate the following to > > the > > computer: > > > > Write Account Restrictions > > Write Service Principal Name > > Write DNS Host Name > > Reset Password > > > > > > Here is some perl code for that little piece that > I use to write acl's > > to an OU for that purpose. > > > > # > > # Write Account Restrictions on computer > > # > > if ($debug) {print " Setting $securitygroup > with Write Account > > Restrictions on Computers...\n"}; > > $ace = > > Win32::OLE->CreateObject("AccessControlEntry"); > > $ace->{Trustee}=$securitygroup; > > > > > $ace->{ObjectType}="{4C164200-20C0-11D0-A768-00AA006E0529}"; > > # Account Restrictions > > > > > $ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}"; > > # computer > > $ace->{AccessMask}=32; > > $ace->{Flags}=3; > > $ace->{AceType}=5; > > $ace->{aceflags}=10; > > $dACL->AddAce($ace); > > undef $ace; > > > > > > # > > # Validated Write Service Principal Name on > computer > > # > > if ($debug) {print " Setting $securitygroup > with Write > > servicePrincipalName on Computers...\n"}; > > $ace = > > Win32::OLE->CreateObject("AccessControlEntry"); > > $ace->{Trustee}=$securitygroup; > > > > > $ace->{ObjectType}="{F3A64788-5306-11D1-A9C5-0000F80367C1}"; > > # servicePrincipalName > > > > > $ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}"; > > # computer > > $ace->{AccessMask}=8; > > $ace->{Flags}=3; > > $ace->{AceType}=5; > > $ace->{aceflags}=10; > > $dACL->AddAce($ace); > > undef $ace; > > > > > > # > > # Validated Write dNSHostName on computer > > # > > if ($debug) {print " Setting $securitygroup > with Write > > dNSHostName on Computers...\n"}; > > $ace = > > Win32::OLE->CreateObject("AccessControlEntry"); > > $ace->{Trustee}=$securitygroup; > > > > > $ace->{ObjectType}="{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}"; > > # dNSHostName > > > > > $ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}"; > > # computer > > $ace->{AccessMask}=8; > > $ace->{Flags}=3; > > $ace->{AceType}=5; > > $ace->{aceflags}=10; > > $dACL->AddAce($ace); > > undef $ace; > > > > > > # > > # Reset Password on computer > > # > > if ($debug) {print " Setting $securitygroup > with Reset Password > > on Computers...\n"}; > > $ace = > > Win32::OLE->CreateObject("AccessControlEntry"); > > $ace->{Trustee}=$securitygroup; > > > > > $ace->{ObjectType}="{00299570-246D-11D0-A768-00AA006E0529}"; > > # Reset Password > > > > > $ace->{InheritedObjectType}="{BF967A86-0DE6-11D0-A285-00AA003049E2}"; > > # computer > > $ace->{AccessMask}=256; > > $ace->{Flags}=3; > > $ace->{AceType}=5; > > $ace->{aceflags}=10; > > $dACL->AddAce($ace); > > undef $ace; > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > Behalf Of fact hunter > > Sent: Wednesday, October 22, 2003 10:39 AM > > To: [EMAIL PROTECTED] > > > > I want to allow a low level user to join a > computer to the domain only > > when the computer account has been pre-populated > as a new account or > > the account has been reset in the case of a > reimage. However, I do not > > want them to be able to overwrite computer > accounts that are in use. > > > > Any help is appreciated. > > > > Ama > > > > __________________________________ > > Do you Yahoo!? > > The New Yahoo! Shopping - with improved product > search > > http://shopping.yahoo.com > > List info : > http://www.activedir.org/mail_list.htm > > List FAQ : > http://www.activedir.org/list_faq.htm > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > === message truncated === __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
