RE: [ActiveDir] Rights Required to Rename Computer Objects

[joe]

All I have to say is no document is perfect and although there was a ton of feedback put in to the writing of that specific whitepaper from myself, Guido, and others whose names you will find on page 2 or 3 of the doc, it wasn't all incorporated. :)  There is also the case that not everything can be delegated to a granular level, it depends a lot on how the back end interfaces used to do the work. Just like with Exchange, you actually only need write access to two attributes on a user and no Exchange config container permissions  to mailbox enable a user but the Exchange API requires much much more.   Unfortunately I don't have any docs on this that I can immediately find on what is needed, what I would do to try and figure it out is to do the rename with full rights and use repadmin /showmeta to work out what exactly was changed and start with those attributes. This may work right off or it may not work at all. It depends entirely on HOW Microsoft is doing this in the backend. If they are using an older RPC based interface that hasn't been updated to reflect delegation it is entirely possible it will take considerable rights to be delegated...   At the very least I would expect rights would be needed to change cn, samaccountname, serviceprincipalname, dnshostname, and possibly even useraccountcontrol and pwdlastset.             -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, July 20, 2006 4:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Rights Required to Rename Computer Objects Write all properties is overkill!  Joe'll go wild when he sees that that is written in the MSFT delegation guide...   :P   I believe you require:   WRITE_PROP for name and cn     Summarised, you're modify the RDN.     --Paul ----- Original Message ----- From: O'Brien, Cathy To: ActiveDir@mail.activedir.org Sent: Wednesday, July 19, 2006 8:15 PM Subject: RE: [ActiveDir] Rights Required to Rename Computer Objects That's what Microsoft recommends... from the whitepaper Best Practices for Delegating Active Directory Administration, Appendix A:   Rename a computer account WP [Write Property] on the computer object to modify all attributes NOTE: User performing operation must be a Local Administrator on the computer being renamed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Wednesday, July 19, 2006 7:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Rights Required to Rename Computer Objects I posted about this a week or so ago and I didn’t see a response, but can anyone tell me what specific rights are needed to allow someone to rename a computer attached to an AD domain? Read and Write all Properties works but that’s a bit excessive I think.   Thanks,   Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573   ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.