Roger, I do not want them to join the domain by using "My network Places". If they pre-create the computer account in the appropriate OU using the web page they are able to join the domain. This forces them to name their computers according to the naming standards and create the computer account in an OU specified for their department.
Now if I can prevent them from using "My Network Places" to join the domain this will force them to use the web page and everyone will be happy. Greg Felzer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, February 26, 2003 3:54 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container Seeing as that's the default container for creating computer accounts, and the only place those accounts will go when created by a machine joining the domain, I don't see that you're going to achieve what you want. Any reason you can't just script something to move all undesirable accounts out of that OU? -------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Greg Felzer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 26, 2003 3:33 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Remove the ability to create > computer accounts in the computer container > > > Wouldn't this prevent all users from creating computer > accounts? I do not want to prevent them from creating them, > just prevent them from creating them in the computers container. > > Greg Felzer > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Sullivan, Kevin > Sent: Wednesday, February 26, 2003 11:47 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Remove the ability to create > computer accounts in the computer container > > You may want to look into changing the default > msDS-MachineAccountQuota. This setting allows any user to > create 10 computer accounts by default. You can change this > via a script, LDP or ADSI edit. If you change the default > value to 0 then your delegation model will probably work but > the default behavior will be changed. > > It may work... > > Keivn > > -----Original Message----- > From: Greg Felzer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 26, 2003 11:28 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Remove the ability to create computer > accounts in the computer container > > Hello, > > Maybe the collective minds here can come up with something..... > > I have given a group (Join Computers to the Domain group) the > rights to join computers to the domain through the Default > Domain policy. Only this group has rights to join computers > to the domain. > > I have created a web page that creates a computer account (it > checks first to make sure the computer account does not > exist) base upon department specific input from the user. > Once the account is created the user names his computer the > same as the computer account and joins the domain. > > The problem I am having is that some of the user that are > members of the Join Computers to the Domain group are not > using the web page. They are using "My network place", > advanced, network identification.....ect to join the domain. > This creates a computer account in the computer container. > When this happens I get a computer account showing up in the > computer container that I do not know what department it belongs to. > > My solution (that does not work) was to remove all rights > (including System > rights) to the computer container. I figured without rights > they would not be able to create the computer accounts. This > did not work so I denied the ability to create all child > objects for the Join computers group in the Computers > Container. This did not work so I denied the right for > Everyone. Also did not work. > > Any ideas on how to prevent all users from creating computer > objects in the computers container? > > Thanks > Greg > > > > Greg Felzer > MCSE NT4, MCSE 2000, CCA, CCNA, CNA > Senior Systems Engineer > Center for Computing and Information Technology > Medical University of South Carolina > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
