I have done this....
Because my requirement *IS* to allow a certain number of delegated regional
admins (who are NOT Domain Admin members) to join computers, I have not reduced
the ms-ds-machineaccountquota, as that is too blunt a tool, and can't
distinguish between ordinary users and my delegated admins... - In fact I have
*increased* the quota so that those regional administrators can continue to
function...
However, I *HAVE*...
- created a brand new top level OU called "Computers to be moved".
- ACLd that OU to only allow my intended admins to create child objects.
- Changed the default container for new computer objects in AD to this new OU.
Now, any computer that joins the domain does not get created in the default
computers container, but in my new OU.
I have issued a very prescriptive process to those regional admins that
instructs them in no uncertain terms that when joining computers to our domain
they must pre-create the computer account in their specific OU before joining
the machine. Obviously, most of the time they forget to do this (don't we all?)
and just do it the regular way, such that the computer account does end up in
that "computers to be moved" OU... - (which is also fine, just so long as they
then remember to immediately go into ADUC & move the object to the correct OU,
which they've also been instructed to do), So by way of "encouraging" them to
change their habits, I run the following powershell script as a scheduled task
every 1 hour, on the hour, which disables any machine accounts that happen to
be there! - it could just as easily delete those computer accounts... :-) -
Feel free to take this script and do with it as you will... - but I'd
appreciate getting back any improvements!
# Script to automatically disable any computer accounts found to exist in the
Computers container in AD
# Version: 1.0
# Date: 18-01-2012
# Author Paul Gordon
##################################################################################
# FUNCTION DECLARATIONS
#
##################################################################################
function MyLog { # Log events to screen and/or file
param ([string]$msg, [int]$flag, [int]$target)
# $flag = Log event type (INFO, WARNING, etc), $target = log destination
(0=none, 1=screen, 2=file 3=both)
if ($target -gt 1) {$fileoutput=$true}
if ($target -eq 1 -OR $target -eq 3) {$screenoutput=$true}
$date = get-date -format "dd/MM/yyyy HH:mm:ss"
if ($flag -eq 0) {
if ($fileoutput) {Write-Output "$date INFO: $msg" | Out-File $LogFile
-append} #write to file if target flag=2 or 3
if ($screenoutput) {write-host "$date INFO: $msg"} #write to screen if
target flag=1 or 3
} elseif ($flag -eq 1) {
if ($fileoutput) {Write-Output "$date WARNING: $msg" | Out-File
$LogFile -append} #write to file if target flag=2 or 3
if ($screenoutput) {write-host "$date WARNING: $msg"} #write to screen
if target flag=1 or 3
} elseif ($flag -eq 2) {
if ($fileoutput) {Write-Output "$date ERROR: $msg" | Out-File $LogFile
-append} #write to file if target flag=2 or 3
if ($screenoutput) {write-host "$date ERROR: $msg"} #write to screen
if target flag=1 or 3
} elseif ($flag -eq 3) {
if ($fileoutput) {Write-Output "$date DEBUG: $msg" | Out-File $LogFile
-append} #write to file if target flag=2 or 3
if ($screenoutput) {write-host "$date DEBUG: $msg"} #write to screen
if target flag=1 or 3
}
}
##################################################################################
# MAIN SCRIPT BODY
#
##################################################################################
# Import the required AD powershell module
Import-Module ActiveDirectory
# Set the path of the computers container to be inspected
#$containerpath="CN=Computers,DC=contoso,DC=com" - OLD VERSION USING DEFAULT
COMPUTERS CONTAINER ###
$containerpath="OU=Computers-to-be-moved, DC=contoso,DC=com" # NEW PATH
# Enumerate any computer account objects found there
$computers=get-adcomputer -filter {enabled -eq $true} -searchbase $containerpath
$LogFile = ‘C:\windows\logs\disabledefaultcomputers.log’
MyLog
"----------------------------------------------------------------------------------------"
0 3
MyLog "** Beginning disable of any computer objects found in the default
computers container **" 0 3
if ($computers -ne $null)
{
$computercount=$computers.count
$computers|Set-ADComputer -enabled:$false
MyLog "Disabled $computercount computer objects in the specified
computers container." 0 3
}
else
{
MyLog "The specified computers container currently has no enabled
computer objects within." 0 3
}
-----Original Message-----
From: Kurt Buff [mailto:[email protected]]
Sent: 20 June 2012 17:43
To: NT System Admin Issues
Subject: Re: How many in your company can join systems to domain
By default yes, unless you turn it off, which, IMHO, is the sane thing to do...
On Wed, Jun 20, 2012 at 8:30 AM, Webster <[email protected]> wrote:
> I haven't had to deal with this in a long time but IIRC anyone who is
> in Domain Users can join up to 10 computers to your domain.
>
> http://support.microsoft.com/kb/243327
>
>
> Carl Webster
>
> Consultant and Citrix Technology Professional
>
> http://www.CarlWebster.com
>
>
> From: David Lum <[email protected]>
> Reply-To: NT Issues <[email protected]>
> Date: Wednesday, June 20, 2012 8:19 AM
> To: NT Issues <[email protected]>
> Subject: How many in your company can join systems to domain
>
> Subject line pretty much says it. We have 600 employees and an IT
> staff of 50-ish (including developers) and I swear all 50 can join
> systems to the domain. Certainly 10 of them can and that seems like a lot.
>
>
>
> Brought up because these guys drive me crazy by loosely following
> naming standards, not moving to the appropriate OU, and not putting
> descriptions in AD.
>
> David Lum
> Systems Engineer //
> NWEATM
> Office 503.548.5229//Cell (voice/text) 503.267.9764
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
