Diane, Thanks for the info - it has been a help.
Ken -----Original Message----- From: Ayers, Diane [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 02, 2002 4:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add computer to domain delegation Kenneth: For the easiest approach, you can use the "delegation of control Wizard" if you don't want to try and dig into the details of the AD ACLs. Simply right click on the OU you want to delegate and run the wizard. There are some issues there. The "roles" that are defined in the wizard are based on the roles in the .inf file "delegwiz.inf". There is a typo in the file that you may need to correct. If you run the delegation wizard and don't see the role "Join a computer to the domain" then the inf file has a typo. You'll need to fix this. The files that I have seen are as follows: ;---------------------------------------------------------- [template6] AppliesToClasses = domainDNS Description = "Join a computer to the domain" ObjectTypes = SCOPE [template6.SCOPE] computer=CC ;---------------------------------------------------------- I've tweaked the file a bit give the delete and reset rights to the delegated admin. Here's what I changed it to: ;---------------------------------------------------------- [template6] AppliesToClasses=domainDns,organizationalUnit Description = "Manage computer accounts in the domain or OU" ObjectTypes = SCOPE, computer [template6.SCOPE] computer=CC,DC [template6.computer] CONTROLRIGHT= "Reset Password" ;---------------------------------------------------------- There is a KB article on the templates if you want more info (although it's pretty skimpy). HTH Diane Ayers Pacific Gas & Electric Co. Sacramento/San Francisco -----Original Message----- From: Garello, Kenneth [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 02, 2002 11:50 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add computer to domain delegation Tony, Thank you very much for your response. I found the privileges that you outlined below at the computer level, but not at the OU level. This means that I would have to explicitly apply the four permissions required for each computer created. Is there something I am missing or is that way its gotta be? Ken -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 02, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Add computer to domain delegation Justin Sorry if I wasn't clear on this. If someone has the appropriate permissions it is possible to simultaneously create the computer object while joining the computer to the domain. The limitation of this approach is that it creates the computer object in the Computers built-in container. If you had a dedicated OU for workstations, for example, you would need to subsequently move to the computer object from the Computers container to your Workstations (or whatever) OU. A way to avoid this is to pre-create the computer objects in your OU of choice. This can be done with ADUC, ADSI script, etc. Then when the computer is joined to the domain, the computer you are working with is automatically matched (by name) to the pre-created computer object. I have not come across any problems with SIDs. Another reason why I like this approach is that allows for a separation of roles. In many organisations you don't necessarily want the same people who do the joining to be able to summarily create computer objects. To separate the 2 roles, the permissions required on the OU are as follows. To allow the creation of Computer objects: Create Computer objects To allow computers to be joined to the domain: Allow <your_group> Read/Write Account Restrictions Allow <your_group> Reset Password Allow <your_group> Validated write to DNS host name Allow <your_group> Validated write to service principal name Note: apply these onto Computer objects If you get strange results then have a look at the "Add workstation to domain" group policy settings. This is located in: Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Local Rights Assignment This group policy exists for backward compatibility with the old NT 4.0 user right. Under the GPO, users who have been granted this right can join a workstation to a domain even if they do not have create child access on the computer's container. I would recommend that you disable this setting and work exclusively with ACLs. Tony -----Original Message----- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 1. Oktober 2002 18:06 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add computer to domain delegation I thought that if you pre-created all computer accounts the SIDs for the computer accounts wouldn't match when you went to actually go and join the computer to the domain. Am I mistaken on this? Can you send along some Q Articles that explain what you want Ken to do? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 01, 2002 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Add computer to domain delegation Ken A good way to do this is to pre-create the computer objects in your OU of choice (using ADUC, script, etc.). Once the object has been created, you can then join the computer to the domain. The join process will automatically "find" the computer object in the correct OU. The advantage of this approach is that you can modify the OU ACL so that you have 2 roles: one for creating the computer objects, and one for joining the computers to the domain. Of course both sets of permissions can be assigned to the same group if that's what you want to do. Have a browse through the archives for a thread with a subject of "Join Computers to Domain". It contains a lot of the detail on the permissions required. Tony ---------- Original Message ---------------------------------- From: "Garello, Kenneth" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 1 Oct 2002 10:54:24 -0400 Forgive me if this is a simple question - I have been trying to research this for about a week and cannot get a complete picture. I have a 3 domain forest that was upgraded from a classic style multi-master nt 4.0 domain structure. All my resources exist in the "resource domain" (workstation accounts, and member servers) . The resource domain is the root domain My user accounts exist in one of two account domains, which are subdomains of the root. I have a lab technician who's account obviously exists in one of the domain accounts, but needs to add computers to a particular OU within the resource domains consisting of the computers he is responsible for. (There is a separate GPO for this OU). We use Symantec ghost to update the machines on a frequent basis. Can someone help me to understand the process to do this? I know I have to delegate the "add computers to the domain" Do I have to have him create the computers within the OU using the MMC snap-in? Once the computer exists in the OU, after ghosting he still needs to tell the workstation what domain it belongs to, which requires credentials Thanks for any help (discussion on procedure would be helpful) Ken Ken Garello Worcester State College List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/