Since a DENY takes precedence over an ALLOW, denying Authenticated Users a
right means that no matter what allow rights you set for an individual
user, they will never be allow to perform that action.
That said, regular old users don't have the ability to add machines to the
domain on their own. You can however delegate the ability to do so to your
managers without granting them further domain admin type rights.
If your admins already have Full Control over their own OUs then you
shoudln't need to make further changes.
andrew
--On Friday, July 01, 2005 5:27 PM +0200 TIROA YANN
<[EMAIL PROTECTED]> wrote:
Hi,
Just a information...
I have denied all users (authenticated users) to join computer in the
domain thanks to the "Default Domain Controler Policy" GPO, and that
work fine. I do this to avoid authenticated users to create PCs in the
"Computers" container, and force admin to manage their own computers,
that is to say create and join to domain.
So i grant each admin Full Control of their OU and childs objects,
because they also need such rights to manage others objects.
Admin can then create their Computers object in their OU, but my
question is: are they able and have the rights to join their own
computer to domain ?
By default, when they create the computer objects in their OU, the
wizard says "The following group or user can join this computer to a
domain" and this is by default Domain Admins group.....
Thanks
Cheers,
Yann
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
