Just FYI -
We redirected our default "computer creation" OU. The nice side
effect being that we can now apply policy to that OU (as opposed to the
built-in container, where you cannot).
Thanks...
-DaveC
Reuters America
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, February 14, 2005 10:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain
That is also a possibility, however I have multiple domains and
workstations exist in different OU's. If I was to go through the
process of creating an OU and delegating authority, why not just remove
authenticated users, add in the group I want into the DDC GPO and then
modify the quota so they create accounts in the computer container.
Either way the computer accounts still have to be moved.
Thanks for your help.
Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Monday, February 14, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain
Yep, that's one way to do it. I myself would prefer to remove
Authenticated Users from the DDC GPO, create a group and assign that
group permissions on the OU where the accounts should remain and
additionally (if needed) redirect computer account creation to that one
OU (as mentioned in
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/de
ploy
guide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/al
l/de
ployguide/en-us/dssbf_upwn_pyog.asp)
Cheers
jorge
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: maandag 14 februari 2005 15:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain
I could follow method three couldn't I? I could remove Authenticated
Users and add in my Helpdesk Staff Security Group into the DDC GPO
Policy and then modify this default setting to enable them to add many
computers to the domain.
Someone please check my logic here. Thanks
http://support.microsoft.com/kb/251335/EN-US/
Method 3: Override the Default Limit of the Number of Computers an
Authenticated User Can Join to a Domain You can override the default
limit, using either of the following
methods: * Use the Ldp (Ldp.exe) tool included in the Microsoft Windows
2000 Resource Kit.
* Use an Active Directory Services Interface (ADSI) script to increase
or decrease the value of the Active Directory ms-DS-MachineAccountQuota
attribute. To do this:1. Install the Windows 2000 Support tools if they
have not already been installed. To install these tools, run Setup.exe
from the Support\Tools folder on the Windows 2000 Server or the Windows
2000 Professional CD-ROM.
2. Run Adsiedit.msc as an administrator of the domain.
3. Expand the Domain NC node. This node contains an object that begins
with "DC=" and reflects the correct domain name. Right-click this
object, and then click Properties.
4. In the Select which properties to view box, click Both.
5. In the Select a property to view box, click
ms-DS-MachineAccountQuota.
6. In the Edit Attribute box, type a number. This number represents the
number of workstations that you want users to be able to maintain
concurrently.
7. Click Set, and then click OK.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Sunday, February 13, 2005 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain
To delegate the permissions -> yes
I would, however, consider removing authenticated users from the
privilege "add workstations to domain" in the DDC GPO
Greetz
Jorge
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, February 11, 2005 16:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain
So I would have to use the delegation wizard at the OU level to add
workstations to the domain and ignore the user rights assignments at the
DC Level?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Thursday, February 10, 2005 3:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain
Justin,
The "Add workstations to domain" user right (configured at DC level) by
default assigns each authenticated user the right to add 10 computers
(default configured quota for this) to the domain. Those computers will
be placed in the COMPUTERS CONTAINER and the default owner is "Domain
Admins".
However users can be granted an unlimited number of computers they can
add to the domain if the permission has been granted to those users on a
certain OU, independently of the user right "add workststations to
domain" has been granted or not. The owner of the latter objects will be
the accounts that created them.
Most of the time it is not acceptable that users add computers to the
domain just like that. In the environment I created the design for, I
removed authenticated users from the user right, created a global group
and granted that global group permissions over a certain OU to created
computer accounts.
If I'm correct the computer accounts need to be created first and then
you can join the computer to the domain (as with the join dialog box
there is no possibility to specify an OU) and with tools (e.g. NETDOM)
where you have the possibility to directly add a computer I presume it
is possible to do this without first creating the computeraccount
Cheers,
Jorge
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, February 09, 2005 19:15
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Add Computer to Domain
If I wanted to grant a group the rights to join computers to the domain
should I configure the User Assignment setting of a GPO to do that and
if so should I create that GPO on the OU I want them to join computers
to or do I have to do it at the domain level or within the Domain
Controllers Policy?
Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com
Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
