RE: [ActiveDir] Delegate join computer to domain

Thu, 07 Dec 2006 18:11:15 -0800 

Not really the risk - more the ability to delegate the right on a very granular 
level.  Semi-independent organizations are given OUs in our domains, with 
limited rights.  One of those rights needed to be the ability to precreate 
computer objects and then join them to the domain (and to be nice, to
allow one SA to create the object and a DIFFERENT SA to join the computer, so 
the extra parameter in ADUC at creation time to specify a security principle 
didn't help).

We also use Quest ActiveRoles for AD security ACLs and auditing, so we needed 
to know the specific ACEs necessary....and, voila!

Now, if there were some way to script the delegation wizard tasks, and build in 
easy auditing and administration like Quest ActiveRoles has, I would have gone 
that route...but not sure such an API exists...

The GPO wasn't the direction we wanted to go, because we also handle patching 
and compliance (different apps for different OUs even), so computers going into 
the "Computers" container isn't a good option, which I think that GPO would 
allow for - correct?


(That's why WE did all of the above.  Not sure what Ben's list of goals is).

--James

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, December 07, 2006 5:54 PM
To: [email protected]
Subject: Re: [ActiveDir] Delegate join computer to domain

In the default domain set up ... a domain user can set up 10 computers 
as was pointed out

"After I adjusted the security settings, I reduced the default number of 
computers an authenticated user can join to the domain down to zero."

Why not just change the group to have that right again?  As you know 
there's a specific group policy setting for that.

What's the risk for this group to not have this right?

(Threats and Countermeasures guide discusses the pros/cons)

Wells, James Arthur wrote:
> Ben,
>
> There is a larger list of required ACE entries to JOIN a computer to the 
> domain.
>
> They are:
>
> List Contents
> Read All Properties
> Delete
> Delete Subtree
> Read Perms
> All Extended Rights(gives you Allowed to Authenticate
> Change Pwd
> Receive As
> Reset Pwd
> Send As)
> Validate write to DNS host name
> Validated write to service principal name
>
> (Property permissions)
> Write Account Restrictions
> Read DNS Host Name Attributes
> Read Personal Information
> Read Public Information
>
> Good luck!
>
>
> (I'm assuming you're in W2K3 domain mode, because in mixed, Pre-Win2K 
> Compatible Access grants extra permissions letting users join computers, even 
> when dropping the workstation quota to 0).
>
>
> --James
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
> Sent: Thursday, December 07, 2006 1:45 PM
> To: [email protected]
> Subject: [ActiveDir] Delegate join computer to domain
>
> Hello everyone,
>
> Our desktop support group are all a part of a security group called IT.  I 
> delegated the Create and Delete Computer ACEs to the security group over the 
> OU that I want them to add computer accounts into when a machine is joined to 
> the domain.
>
> After I adjusted the security settings, I reduced the default number of 
> computers an authenticated user can  join to the domain down to zero.
>
> It seems that the members of the IT security group can pre-create the 
> computer accounts, but when they attempt to go through the join process, they 
> are caught at the check that determines if they have surpassed the number of 
> machines a user can join to the domain (which is now zero).  
>
> What must I do so this security group is not subject to that check?
>
> Thanks,
> Ben
>
> -----Original Message-----
> From: "Thompson, Elizabeth" <[EMAIL PROTECTED]>
> To: "[email protected]" <[email protected]>
> Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Sent: 12/7/06 11:31 AM
> Subject: RE: [ActiveDir] Please help me
>
> Check and see if it still has the "dead" server listed under its the NTDS 
> Settings in AD Sites and Services. Had this happen once to me. I manually 
> deleted the NTDS reference and it was happy.
>  
> Elizabeth Thompson 
> Service and Support Technician/Exchange Admin 
> Information Technology Services 
> The Community College of Baltimore County 
>
>
>
> ________________________________
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
> PROTECTED]
> Sent: Thursday, December 07, 2006 10:50 AM
> To: [email protected]
> Cc: [email protected]; [EMAIL PROTECTED]
> Subject: [ActiveDir] Please help me
>
>
>
> I have a strange problem and can not find any solution 
>
>         I used DCpromo to depromote a computer. It worked ok, the Domain 
> controller was depromoted. But when I use repadmin to show other dc´s 
> replication, it show replications from the domain controler depromoted. I 
> didn´t find anything to explain how to solve that. 
>         Where can I find it, to remove it from replication. The machine is a 
> network computer, but replication fails with message: 
>
>         
>     SPO-COSTA\SPO-CENTRO5   <<<--------------   (THIS IS THE DOMAIN CONTROLER 
> THAT IS NOT A DOMAIN CONTROLER ANYMORE) 
> DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC 
>         DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f 
>         Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br 
>         DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 
>         DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS 
>         USNs: 13018091/OU, 13018091/PU 
>         Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): 
>             A operação de agente do sistema de diretórios (DSA) não pode 
> prosseg 
> uir devido a uma falha de pesquisa de DNS. 
>         96 consecutive failure(s). 
>         Last success @ 2006-12-01 07:58:08.
>
>       Adrião Ferreira Ramos 
>       Depto. de Operações e Infra-Estrutura - CII.14 
>       [EMAIL PROTECTED]       
>       (11) 3388.8193          
>
>
> Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você 
> não for o destinatário ou a pessoa autorizada a receber esta mensagem, não 
> pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer 
> ação baseada nessas informações. Se você recebeu esta mensagem por
> engano, por favor avise imediatamente o remetente, respondendo o e-mail e em 
> seguida apague-o. Agradecemos sua cooperação.
>
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose or take any action based on this message or any 
> information herein. If you have received this message in error, please
> advise the sender immediately by reply e-mail and delete this message. Thank 
> you for your cooperation.
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/[email protected]/
> [EMAIL PROTECTED]     ��V�r�y�&�-����V��+�v*�rg/=

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/[email protected]/

Reply via email to