Re: [ActiveDir] Delegate join computer to domain

Thu, 07 Dec 2006 16:45:34 -0800

In the default domain set up ... a domain user can set up 10 computers as was pointed out
"After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero." 


Why not just change the group to have that right again?  As you know 
there's a specific group policy setting for that.


What's the risk for this group to not have this right?

(Threats and Countermeasures guide discusses the pros/cons)

Wells, James Arthur wrote:

Ben,

There is a larger list of required ACE entries to JOIN a computer to the domain.

They are:

List Contents
Read All Properties
Delete
Delete Subtree
Read Perms
All Extended Rights(gives you Allowed to Authenticate
Change Pwd
Receive As
Reset Pwd
Send As)
Validate write to DNS host name
Validated write to service principal name

(Property permissions)
Write Account Restrictions
Read DNS Host Name Attributes
Read Personal Information
Read Public Information

Good luck!


(I'm assuming you're in W2K3 domain mode, because in mixed, Pre-Win2K 
Compatible Access grants extra permissions letting users join computers, even 
when dropping the workstation quota to 0).


--James

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Thursday, December 07, 2006 1:45 PM
To: [email protected]
Subject: [ActiveDir] Delegate join computer to domain

Hello everyone,

Our desktop support group are all a part of a security group called IT.  I 
delegated the Create and Delete Computer ACEs to the security group over the OU 
that I want them to add computer accounts into when a machine is joined to the 
domain.

After I adjusted the security settings, I reduced the default number of 
computers an authenticated user can  join to the domain down to zero.


It seems that the members of the IT security group can pre-create the computer accounts, but when they attempt to go through the join process, they are caught at the check that determines if they have surpassed the number of machines a user can join to the domain (which is now zero).  


What must I do so this security group is not subject to that check?

Thanks,
Ben

-----Original Message-----
From: "Thompson, Elizabeth" <[EMAIL PROTECTED]>
To: "[email protected]" <[email protected]>
Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Sent: 12/7/06 11:31 AM
Subject: RE: [ActiveDir] Please help me

Check and see if it still has the "dead" server listed under its the NTDS 
Settings in AD Sites and Services. Had this happen once to me. I manually deleted the 
NTDS reference and it was happy.

 
Elizabeth Thompson 
Service and Support Technician/Exchange Admin 
Information Technology Services 
The Community College of Baltimore County 




________________________________

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 07, 2006 10:50 AM
To: [email protected]
Cc: [email protected]; [EMAIL PROTECTED]
Subject: [ActiveDir] Please help me




I have a strange problem and can not find any solution 

        I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. 
        Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: 

        
    SPO-COSTA\SPO-CENTRO5   <<<--------------   (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) 
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC 
        DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f 
        Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br 
        DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 
        DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS 
        USNs: 13018091/OU, 13018091/PU 
        Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): 
            A operação de agente do sistema de diretórios (DSA) não pode prosseg 
uir devido a uma falha de pesquisa de DNS. 
        96 consecutive failure(s). 
        Last success @ 2006-12-01 07:58:08.



  	Adrião Ferreira Ramos 
  	Depto. de Operações e Infra-Estrutura - CII.14 
  	[EMAIL PROTECTED] 	

        (11) 3388.8193          


Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você 
não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode 
usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação 
baseada nessas informações. Se você recebeu esta mensagem por
engano, por favor avise imediatamente o remetente, respondendo o e-mail e em 
seguida apague-o. Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose or take any action based on this message or any information 
herein. If you have received this message in error, please
advise the sender immediately by reply e-mail and delete this message. Thank 
you for your cooperation.

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/[email protected]/
[EMAIL PROTECTED]       ��V�r�y�&�-����V��+�v*�rg/=


--

Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/[email protected]/






















					Reply via email to