It sounds like you maybe need to modify the Domain Controller Security
Policy and remove "Authenticated Users" (and the security group you created if
you've placed them in here) from "Add Workstations" under Security
Settings/Local Policies/User Rights Assignment ... This will prevent users,
and the members of your security group, from joining their own machines to the
domain and placing them in the default Computers container.
-----Original Message-----
From: Greg Felzer
[mailto:[EMAIL PROTECTED]
Sent: Thu 2/27/2003 1:51 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [ActiveDir] Remove the ability to create computer
accounts in the computer container
Yes that probably would work. I will give it a
try.
Thanks
Greg Felzer
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Bjelke John A Contr
AFRL/VSIO
Sent: Thursday, February 27, 2003 12:32 PM
To: '[EMAIL PROTECTED]'
Subject:
RE: [ActiveDir] Remove the ability to create computer accounts in
the computer container
Greg, if you create an "Acct Creation user", and set your
script to use
those credentials from the webpage,
wouldn't that work for you? In this way,
you can
grant computer acct creation rights to just that user and set the
quotas on everyone else to prevent creation of accts
through any method
other than your script, which is
setup to create the acct in the proper
container.
-----Original Message-----
From: Gil
Kirkpatrick [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 27, 2003 9:53 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Remove the ability to create computer
accounts in
the computer container
Ms-DS-machineAccountQuota is an optional attribute of the
samDomain class,
which is an auxillary class that is
attached to the domainDNS class.
-----Original Message-----
From:
Greg Felzer [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 27, 2003 7:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remove the ability to create computer
accounts in
the computer container
The web script authenticates against AD and checks for group
membership in
the "Join Computer to the Domain"
group. If they are members of the group
they
are allowed to create the computer account. Their userid is used
for
the creation of the computer account.
This group (Join Computer to the Domain) is allowed to
create computer
accounts in the appropriate OU and
is denied 'create all child objects' in
the computer
container (which does not prevent them from creating the
computer account).
Unless I can set the msDS-MachineAccountQuota on the
computer container to
prevent everyone from creating
computer accounts in this container the user
would
still be able to create a computer account in the computer container
by joining the domain using 'My Network Places".
BTW I cannot find the msDS-MachineAccountQuota property
using ADSI edit, set
to show all properties on any
of my user accounts or on the computer
container. What object type is the msDS-MachineAccountQuota
property
available for?
Thanks,
Greg Felzer
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Bjelke John A Contr
AFRL/VSIO
Sent: Wednesday, February 26, 2003 3:40 PM
To: '[EMAIL PROTECTED]'
Subject:
RE: [ActiveDir] Remove the ability to create computer accounts in
the computer container
Greg,
If you restrict it so that no one except the user your web
script
runs as can create accts and are specifying
the container in your script,
then they will still
be able to create accts, they will just be forced to
use your web script to do so. This would achive your stated goal,
wouldn't
it?
-----Original Message-----
From:
Greg Felzer [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 26, 2003 1:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remove the ability to create computer
accounts in
the computer container
Wouldn't this prevent all users from creating computer
accounts? I do not
want to prevent them from
creating them, just prevent them from creating
them
in the computers container.
Greg Felzer
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Sullivan, Kevin
Sent: Wednesday,
February 26, 2003 11:47 AM
To:
[EMAIL PROTECTED]
Subject: RE:
[ActiveDir] Remove the ability to create computer accounts in
the computer container
You may want to look into changing the default
msDS-MachineAccountQuota.
This setting allows any
user to create 10 computer accounts by default. You
can change this via a script, LDP or ADSI edit. If you change the
default
value to 0 then your delegation model will
probably work but the default
behavior will be
changed.
It may work...
Keivn
-----Original Message-----
From:
Greg Felzer [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 26, 2003 11:28 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Remove the ability to create computer accounts
in the
computer container
Hello,
Maybe the collective minds here can come up with
something.....
I have given a group (Join Computers to the Domain group)
the rights to join
computers to the domain through
the Default Domain policy. Only this group
has
rights to join computers to the domain.
I have created a web page that creates a computer account
(it checks first
to make sure the computer account
does not exist) base upon department
specific input
from the user. Once the account is created the user names
his computer the same as the computer account and joins the
domain.
The problem I am having is that some of the user that are
members of the
Join Computers to the Domain group
are not using the web page. They are
using "My
network place", advanced, network identification.....ect to join
the domain. This creates a computer account in the
computer container. When
this happens I get a
computer account showing up in the computer container
that I do not know what department it belongs to.
My solution (that does not work) was to remove all rights
(including System
rights) to the computer
container. I figured without rights they would not
be able to create the computer accounts. This did not work so I
denied the
ability to create all child objects for
the Join computers group in the
Computers
Container. This did not work so I denied the right for
Everyone.
Also did not work.
Any ideas on how to prevent all users from creating computer
objects in the
computers container?
Thanks
Greg
Greg Felzer
MCSE NT4, MCSE 2000,
CCA, CCNA, CNA
Senior Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This message (including any attachments) contains
confidential information intended for a specific individual and purpose, and
is protected by law. If you are not the intended recipient, you should
delete this message. Any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly
prohibited.
