"concurrently" in this context means how many computer
object the user "owns" at any given time in AD. If the number of computer
objects he owns is higher than the ms-DS-MachineAccountQuota value, then he
won't be able to add any new machines to the domain.
So by setting the threshold to 0 (zero), you can prevent
ALL non-admin users from adding any computers to the domain. You can't however
set a machineAccount quota for a SPECIFIC user.
Note though, that with 2003 true directory quotas were made
available, which allow you to manage quotas for single users or groups for any
object in the respective directory partition. You can manage these with DSADD
and DSMOD /Quota commands.
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Wednesday, February 23, 2005 12:03 AM
To: [email protected]
Subject: [ActiveDir] (Similar topic) Add Computer to Domain
Hi
all,
On 9 Feb. there was a discussion about
adding computers to a domain during which Jorge mentioned the user right
"Add workstations to domain" (authenticated users being granted this right
by default), and Justin mentioned KB 251335.
A few questions about that right for anyone
that is inclined:
- How is it
enforced? Is there an attribute or control somewhere that holds a value
for the user account (or maybe the machine accounts he/she
owns)?
- Am I interpreting
this snippet below properly [from that KB]? http://support.microsoft.com/kb/251335/EN-US/ Is it indicating that a given user
account must be associated with (somehow) or is the owner of at
least X active objects in order for it to be enforced? That
"concurrently" is throwing me off. In other words, the limit would not
apply if a user created a machine object, had it deleted, created it again, had
it deleted, etc...?
In the Edit
Attribute box, type a number. This number represents the number of
workstations that you want users to be able to maintain
concurrently.
- I
suppose this all leads to --> Can I prevent a single user from
adding another workstation simply by pushing his value for
this control over the threshold?
Humor me here and forget about ACLs, rights,
and the obvious easier ways to accomplish this! I appreciate it.
Thanks!
-DaveC
Reuters AITS Infrastructure
-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com
Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
