Thanks Guido...understood about the 0 threshold and the quotas.
Specifically, I was more interested in the "behind the scenes" manner in which a
DC enforces the MachineAccountQuota, and I see now (after reading more
carefully!) that the "ms-ds-creatorsid" on a machine object must be used for
that purpose (among others). I guess I wasn't willing to believe that a DC
enumerated every machine account in the directory [looking at that
attribute] during the time in which a standard authenticated user attempts
to join a machine to the domain. So much for my
belief!
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, February 22, 2005 7:37 PM
To: [email protected]
Subject: RE: [ActiveDir] (Similar topic) Add Computer to Domain
"concurrently" in this context means how many computer
object the user "owns" at any given time in AD. If the number of computer
objects he owns is higher than the ms-DS-MachineAccountQuota value, then he won't be able to add any new machines to the domain.
So by setting the threshold to 0 (zero), you can prevent
ALL non-admin users from adding any computers to the domain. You can't however
set a machineAccount quota for a SPECIFIC user.
Note though, that with 2003 true directory quotas were made
available, which allow you to manage quotas for single users or groups for any
object in the respective directory partition. You can manage these with DSADD
and DSMOD /Quota commands.
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Wednesday, February 23, 2005 12:03 AM
To: [email protected]
Subject: [ActiveDir] (Similar topic) Add Computer to Domain
Hi
all,
On 9 Feb. there was a discussion about
adding computers to a domain during which Jorge mentioned the user right
"Add workstations to domain" (authenticated users being granted this right
by default), and Justin mentioned KB 251335.
A few questions about that right for anyone
that is inclined:
- How is it
enforced? Is there an attribute or control somewhere that holds a value
for the user account (or maybe the machine accounts he/she
owns)?
- Am I interpreting
this snippet below properly [from that KB]? http://support.microsoft.com/kb/251335/EN-US/ Is it indicating that a given user
account must be associated with (somehow) or is the owner of at least X active objects in order for it to be enforced? That
"concurrently" is throwing me off. In other words, the limit would not
apply if a user created a machine object, had it deleted, created it again, had
it deleted, etc...?
In the Edit
Attribute box, type a number. This number represents the number of workstations that you want users to be able to maintain
concurrently.
- I
suppose this all leads to --> Can I prevent a single user from adding another workstation simply by pushing his value for
this control over the threshold?
Humor me here and forget about ACLs, rights,
and the obvious easier ways to accomplish this! I appreciate it.
Thanks!
-DaveC
Reuters AITS Infrastructure
-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com
Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com
Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
