Thanks Guido...understood about the 0 threshold and the quotas.  Specifically, I was more interested in the "behind the scenes" manner in which a DC enforces the MachineAccountQuota, and I see now (after reading more carefully!) that the "ms-ds-creatorsid" on a machine object must be used for that purpose (among others).  I guess I wasn't willing to believe that a DC enumerated every machine account in the directory [looking at that attribute] during the time in which a standard authenticated user attempts to join a machine to the domain.  So much for my belief!


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, February 22, 2005 7:37 PM
To: [email protected]
Subject: RE: [ActiveDir] (Similar topic) Add Computer to Domain

"concurrently" in this context means how many computer object the user "owns" at any given time in AD. If the number of computer objects he owns is higher than the ms-DS-MachineAccountQuota value, then he won't be able to add any new machines to the domain.
 
So by setting the threshold to 0 (zero), you can prevent ALL non-admin users from adding any computers to the domain. You can't however set a machineAccount quota for a SPECIFIC user. 
 
Note though, that with 2003 true directory quotas were made available, which allow you to manage quotas for single users or groups for any object in the respective directory partition. You can manage these with DSADD and DSMOD /Quota commands.
 
/Guido


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Wednesday, February 23, 2005 12:03 AM
To: [email protected]
Subject: [ActiveDir] (Similar topic) Add Computer to Domain

Hi all,
 
    On 9 Feb. there was a discussion about adding computers to a domain during which Jorge mentioned the user right "Add workstations to domain" (authenticated users being granted this right by default), and Justin mentioned KB 251335.
 
    A few questions about that right for anyone that is inclined:
 
- How is it enforced?  Is there an attribute or control somewhere that holds a value for the user account (or maybe the machine accounts he/she owns)?
- Am I interpreting this snippet below properly [from that KB]?   http://support.microsoft.com/kb/251335/EN-US/    Is it indicating that a given user account must be associated with (somehow) or is the owner of at least X active objects in order for it to be enforced?  That "concurrently" is throwing me off.  In other words, the limit would not apply if a user created a machine object, had it deleted, created it again, had it deleted, etc...?
    In the Edit Attribute box, type a number. This number represents the number of workstations that you want users to be able to maintain concurrently.
- I suppose this all leads to --> Can I prevent a single user from adding another workstation simply by pushing his value for this control over the threshold?
 
    Humor me here and forget about ACLs, rights, and the obvious easier ways to accomplish this!  I appreciate it.  Thanks!
   
-DaveC
Reuters AITS Infrastructure
 


-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.


-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.

Reply via email to