Hey Deji, quick point. You don't need ADS_UF_PASSWD_NOTREQD set on the machine account. I approached MS previously on this. Some of their tools do it, and some of them don't. They are inconsistent but it works fine without it. joe
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 27, 2003 3:16 PM To: [EMAIL PROTECTED] > > I want to allow a low level user to join a > computer to the domain only > > when the computer account has been pre-populated > as a new account or > > the account has been reset in the case of a > reimage. However, I do not > > want them to be able to overwrite computer > accounts that are in use. > > > > Any help is appreciated. Here is a modified copy of the script I use for this purpose. I have tried to put some intelligent comments in there for understanding. Normally, I'd send this to you directly, but I can't get your email. How it works is that you supply the If the code wraps or needs some debugging, email me offline. The full code is a more complicated ASP that sets all the required parameters based on authentication. If you need that, I can share it too. HTH D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _____ On Error Resume Next Dim strComputer, strComputerUser, strUsername, strPassword Dim objRootDSE, objContainer, objComputer, openDS, objDomain Dim Connect, myDSN, RS, Query Dim strLocation, strDept, strOU Dim strSessionDept, strSessionLoc, strSessioncreator, strComputerDescription Dim objSecurityDescriptor, objDACL Dim objACE1, objACE2, objACE3, objACE4, objACE5 Dim objACE6, objACE7, objACE8, objACE9 ' ADS_USER_FLAG_ENUM Const ADS_UF_PASSWD_NOTREQD = &h0020 Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000 ' ADS_ACETYPE_ENUM Const ADS_ACETYPE_ACCESS_ALLOWED = &h0 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5 ' ADS_FLAGTYPE_ENUM Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1 ' ADS_RIGHTS_ENUM Const ADS_RIGHT_GENERIC_READ = &h80000000 Const ADS_RIGHT_DS_SELF = &h8 Const ADS_RIGHT_DS_WRITE_PROP = &h20 Const ADS_RIGHT_DS_CONTROL_ACCESS = &h100 'controlAccessRight rightsGuid values Const ALLOWED_TO_AUTHENTICATE = "{68B1D179-0D15-4d4f-AB71-46152E79A7BC}" Const RECEIVE_AS = "{AB721A56-1E2f-11D0-9819-00AA0040529B}" Const SEND_AS = "{AB721A54-1E2f-11D0-9819-00AA0040529B}" Const USER_CHANGE_PASSWORD = "{AB721A53-1E2f-11D0-9819-00AA0040529b}" Const USER_FORCE_CHANGE_PASSWORD = "{00299570-246D-11D0-A768-00AA006E0529}" Const USER_ACCOUNT_RESTRICTIONS = "{4C164200-20C0-11D0-A768-00AA006E0529}" Const VALIDATED_DNS_HOST_NAME = "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}" Const VALIDATED_SPN = "{F3A64788-5306-11D1-A9C5-0000F80367C1}" strComputer ="theNameOfTheComputerToCreate" or "theNameOfTheExistingComputerYouWantToModifyACEOn" strComputerUser ="The name of the user who will be joining the computer to the Domain AFTER we have created it in AD" strComputerDescription = "Created by blahblah" objDomain = "The path to the OU/Container where we want the Computer Account created in, e.g., LDAP://"OU=MyComputers,DC=myChild,DC=myParent,DC=com <ldap://> " 'The following values are usually stored in a SQL database and read on the fly. They are not hardcoded into the script strUserName = "NameOfADomainAdminAccount" 'This is an account that has the ability/rights to modify Properties strPassword = "myPass" 'This is the Password of the Domain Admin Account. As Noted above, VERY BAD Idea to hard-code this into the script. Use inputBox to get the values instead of store it in a Database and read it back Set openDS = GetObject("LDAP:") Set objContainer = openDS.OpenDSObject(objDomain, strUsername, strPassword, 1) '''''This is where you create a NEW computer Set objComputer = objContainer.Create("Computer", "cn=" & strComputer) objComputer.Put "sAMAccountName", strComputer & "$" objComputer.Put "Description", strComputerDescription objComputer.Put "userAccountControl", _ ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT objComputer.SetInfo '''''If we can't create the Computer Account, then error out and stop If NOT Err.Number = 0 Then Wscript.Echo "Unable to create Computer account, probably because the name already exists" '''Comment out the next line so that the script does not stop '''You will do this IF you don't intend to create a NEW computer Account, and you only want to give a User the rights to add an EXISTING Computer to the Domain Wscript.Quit(0) End If Set objSecurityDescriptor = objComputer.Get("ntSecurityDescriptor") Set objDACL = objSecurityDescriptor.DiscretionaryAcl Set objACE1 = Server.CreateObject("AccessControlEntry") objACE1.Trustee = strComputerUser objACE1.AccessMask = ADS_RIGHT_GENERIC_READ objACE1.AceFlags = 0 objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED ' objACE2 through objACE6: Extended Rights Set objACE2 = Server.CreateObject("AccessControlEntry") objACE2.Trustee = strComputerUser objACE2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE2.AceFlags = 0 objACE2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE2.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE2.ObjectType = ALLOWED_TO_AUTHENTICATE Set objACE3 = server.CreateObject("AccessControlEntry") objACE3.Trustee = strComputerUser objACE3.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE3.AceFlags = 0 objACE3.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE3.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE3.ObjectType = RECEIVE_AS Set objACE4 = Server.CreateObject("AccessControlEntry") objACE4.Trustee = strComputerUser objACE4.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE4.AceFlags = 0 objACE4.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE4.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE4.ObjectType = SEND_AS Set objACE5 = Server.CreateObject("AccessControlEntry") objACE5.Trustee = strComputerUser objACE5.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE5.AceFlags = 0 objACE5.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE5.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE5.ObjectType = USER_CHANGE_PASSWORD Set objACE6 = Server.CreateObject("AccessControlEntry") objACE6.Trustee = strComputerUser objACE6.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE6.AceFlags = 0 objACE6.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE6.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE6.ObjectType = USER_FORCE_CHANGE_PASSWORD ' objACE7: Property Sets Set objACE7 = Server.CreateObject("AccessControlEntry") objACE7.Trustee = strComputerUser objACE7.AccessMask = ADS_RIGHT_DS_WRITE_PROP objACE7.AceFlags = 0 objACE7.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE7.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE7.ObjectType = USER_ACCOUNT_RESTRICTIONS ' objACE8 and objACE9: Validated Rights Set objACE8 = Server.CreateObject("AccessControlEntry") objACE8.Trustee = strComputerUser objACE8.AccessMask = ADS_RIGHT_DS_SELF objACE8.AceFlags = 0 objACE8.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE8.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE8.ObjectType = VALIDATED_DNS_HOST_NAME Set objACE9 = Server.CreateObject("AccessControlEntry") objACE9.Trustee = strComputerUser objACE9.AccessMask = ADS_RIGHT_DS_SELF objACE9.AceFlags = 0 objACE9.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE9.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE9.ObjectType = VALIDATED_SPN objDACL.AddAce objACE1 objDACL.AddAce objACE2 objDACL.AddAce objACE3 objDACL.AddAce objACE4 objDACL.AddAce objACE5 objDACL.AddAce objACE6 objDACL.AddAce objACE7 objDACL.AddAce objACE8 objDACL.AddAce objACE9 objSecurityDescriptor.DiscretionaryAcl = objDACL objComputer.Put "ntSecurityDescriptor", objSecurityDescriptor objComputer.SetInfo Wscript.Echo "OK, I'm Done" 'Now, set everything to Nothing to clear memory, e.g.: Set objContainer = Nothing Set openDS = Nothing
<<attachment: winmail.dat>>
