RE: Delegation of Control in Windows 2008 R2 DFL/FFL questions
Was out on vacation last week (if painting counts as vacation 8), but if you didn't already find them, here's what we have. I also went with a group like Jon, so we could put our repair technicians in there, and for anyone else down the road who needs to have the privilege added/removed. For each high-level container, add detailed permissions for that group: Object tab Apply to: Descendant Computer Objects Read all properties Allow Write all properties Allow Delete Allow Reset Password Allow Object tab Apply to: This object and all descendant objects Create Computer objects Allow Delete Computer objects Allow From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, July 29, 2011 8:50 PM To: NT System Admin Issues Subject: Re: Delegation of Control in Windows 2008 R2 DFL/FFL questions I went with putting a group into the default domain GPO that was able to add machines. I did that originally because I had been told that the office manager needed to add machines as they arrived. Shortly after that I management told me never mind the office manager did not want the extra work. Left the group in there and only put the two non-admin user id's of us that would be adding machines into it. We had DA status but when moving machines around the office we used our regular accounts. These were usually stored machines that were way out of production kept for emergencies. Jon On Fri, Jul 29, 2011 at 4:08 PM, Ziots, Edward ezi...@lifespan.orgmailto:ezi...@lifespan.org wrote: To the list, Been reading up on delegation of control wizard, and it seems that it can be customized as per http://support.microsoft.com/kb/308404 And there are additional templates in the following document: Best Practices for Delegating Active Directory Administration Appendices http://www.microsoft.com/download/en/confirmation.aspx?id=20145 Can these be applied through the Windows 7 RSAT tools to a Windows 2008 R2 DFL/FFL domain? Secondly, does anyone have the specific permissions that need to be granted to the Computers Container so that a specific group can join computers to the domain ( and pop them out) as needed, so I can remove these users from Domain Admins. ( I know create and delete computer objects is needed, but I am sure there are a few others I don't know about) The same set of users would be moving the computer accounts to other OU's which they will have read/write access too accordingly. I also got this off Jorge's Blog http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx (Right now in Windows 7, the Delegwiz.inf file in the c:\windows\system32 directory and not in %windows%\inf as stated. Does this section just need to be added to the delegwiz.inf file and save it and it shows up in the ADUC MMC snapin when doing delegation of control next time? This way you can delegate the creation of computer accounts to group1 and the joining of the computers to group2. It is also however possible you have a group of people who create computers accounts and also join them. To able so everyone in that group can create a computer accounts and join the computers to the domain independent who created the computer accounts replace TEMPLATE 6 with what is mentioned below or perform the delegate twice with the additional task created above! If you want to join a computer to the domain in a specific OU and the computer account has not been pre-created you cannot use the GUI at the computer. For this you must use the tool NETDOM so you can specify the OU the computer account must reside in! The latter only is only possible when you at least have the right to create a computer object in the designated OU. Joining will also be possible because you automatically become the owner of the computer account! ;-- [template6] AppliesToClasses = domainDNS,organizationalUnit,container Description = Add and/or join a computer to the domain in an OU (computer) ObjectTypes = SCOPE, computer [template6.SCOPE] ;Right to create computer objects computer=CC [template6.computer] ;Right to join computers to domain CONTROLRIGHT= Reset Password,Validated write to DNS host name,Validated write to service principal name, Account Restrictions Thanks for the replies in advance, EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.orgmailto:email%3aezi...@lifespan.org Cell:401-639-3505tel:401-639-3505 [cid:image001.jpg@01CC5667.182A3020] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http
RE: Delegation of Control in Windows 2008 R2 DFL/FFL questions
Thanks Bonnie, I will be putting those in on my Computers Container and representative OU that I am going to be doing moving forward and see how the testing goes accordingly. I am sure my workstation group might not like it that much, but this should have been done along time ago. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Tuesday, August 09, 2011 10:41 AM To: NT System Admin Issues Subject: RE: Delegation of Control in Windows 2008 R2 DFL/FFL questions Was out on vacation last week (if painting counts as vacation 8), but if you didn't already find them, here's what we have. I also went with a group like Jon, so we could put our repair technicians in there, and for anyone else down the road who needs to have the privilege added/removed. For each high-level container, add detailed permissions for that group: Object tab Apply to: Descendant Computer Objects Read all properties Allow Write all properties Allow Delete Allow Reset Password Allow Object tab Apply to: This object and all descendant objects Create Computer objects Allow Delete Computer objects Allow From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, July 29, 2011 8:50 PM To: NT System Admin Issues Subject: Re: Delegation of Control in Windows 2008 R2 DFL/FFL questions I went with putting a group into the default domain GPO that was able to add machines. I did that originally because I had been told that the office manager needed to add machines as they arrived. Shortly after that I management told me never mind the office manager did not want the extra work. Left the group in there and only put the two non-admin user id's of us that would be adding machines into it. We had DA status but when moving machines around the office we used our regular accounts. These were usually stored machines that were way out of production kept for emergencies. Jon On Fri, Jul 29, 2011 at 4:08 PM, Ziots, Edward ezi...@lifespan.org wrote: To the list, Been reading up on delegation of control wizard, and it seems that it can be customized as per http://support.microsoft.com/kb/308404 And there are additional templates in the following document: Best Practices for Delegating Active Directory Administration Appendices http://www.microsoft.com/download/en/confirmation.aspx?id=20145 Can these be applied through the Windows 7 RSAT tools to a Windows 2008 R2 DFL/FFL domain? Secondly, does anyone have the specific permissions that need to be granted to the Computers Container so that a specific group can join computers to the domain ( and pop them out) as needed, so I can remove these users from Domain Admins. ( I know create and delete computer objects is needed, but I am sure there are a few others I don't know about) The same set of users would be moving the computer accounts to other OU's which they will have read/write access too accordingly. I also got this off Jorge's Blog http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx (Right now in Windows 7, the Delegwiz.inf file in the c:\windows\system32 directory and not in %windows%\inf as stated. Does this section just need to be added to the delegwiz.inf file and save it and it shows up in the ADUC MMC snapin when doing delegation of control next time? This way you can delegate the creation of computer accounts to group1 and the joining of the computers to group2. It is also however possible you have a group of people who create computers accounts and also join them. To able so everyone in that group can create a computer accounts and join the computers to the domain independent who created the computer accounts replace TEMPLATE 6 with what is mentioned below or perform the delegate twice with the additional task created above! If you want to join a computer to the domain in a specific OU and the computer account has not been pre-created you cannot use the GUI at the computer. For this you must use the tool NETDOM so you can specify the OU the computer account must reside in! The latter only is only possible when you at least have the right to create a computer object in the designated OU. Joining will also be possible because you automatically become the owner of the computer account! ;-- [template6] AppliesToClasses = domainDNS,organizationalUnit,container Description = Add and/or join a computer to the domain in an OU (computer) ObjectTypes = SCOPE, computer [template6.SCOPE] ;Right to create computer objects computer=CC [template6.computer] ;Right to join computers to domain CONTROLRIGHT= Reset Password,Validated write to DNS host name,Validated write to service principal name, Account Restrictions Thanks for the replies in advance, EZ Edward E. Ziots CISSP
Re: Delegation of Control in Windows 2008 R2 DFL/FFL questions
I went with putting a group into the default domain GPO that was able to add machines. I did that originally because I had been told that the office manager needed to add machines as they arrived. Shortly after that I management told me never mind the office manager did not want the extra work. Left the group in there and only put the two non-admin user id's of us that would be adding machines into it. We had DA status but when moving machines around the office we used our regular accounts. These were usually stored machines that were way out of production kept for emergencies. Jon On Fri, Jul 29, 2011 at 4:08 PM, Ziots, Edward ezi...@lifespan.org wrote: To the list, ** ** Been reading up on delegation of control wizard, and it seems that it can be customized as per http://support.microsoft.com/kb/308404 ** ** And there are additional templates in the following document: Best Practices for Delegating Active Directory Administration Appendices** ** http://www.microsoft.com/download/en/confirmation.aspx?id=20145 ** ** Can these be applied through the Windows 7 RSAT tools to a Windows 2008 R2 DFL/FFL domain? ** ** Secondly, does anyone have the specific permissions that need to be granted to the Computers Container so that a specific group can join computers to the domain ( and pop them out) as needed, so I can remove these users from Domain Admins. ( I know create and delete computer objects is needed, but I am sure there are a few others I don’t know about) The same set of users would be moving the computer accounts to other OU’s which they will have read/write access too accordingly. ** ** I also got this off Jorge’s Blog http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx (Right now in Windows 7, the Delegwiz.inf file in the c:\windows\system32 directory and not in %windows%\inf as stated. Does this section just need to be added to the delegwiz.inf file and save it and it shows up in the ADUC MMC snapin when doing delegation of control next time? ** ** This way you can delegate the creation of computer accounts to group1 and the joining of the computers to group2. It is also however possible you have a group of people who create computers accounts and also join them. To able so everyone in that group can create a computer accounts and join the computers to the domain independent who created the computer accounts replace TEMPLATE 6 with what is mentioned below or perform the delegate twice with the additional task created above! If you want to join a computer to the domain in a specific OU and the computer account has not been pre-created you cannot use the GUI at the computer. For this you must use the tool NETDOM so you can specify the OU the computer account must reside in! The latter only is only possible when you at least have the right to create a computer object in the designated OU. Joining will also be possible because you automatically become the owner of the computer account! ;-- [template6] AppliesToClasses = domainDNS,organizationalUnit,container Description = Add and/or join a computer to the domain in an OU (computer) ObjectTypes = SCOPE, computer [template6.SCOPE] ;Right to create computer objects computer=CC [template6.computer] ;Right to join computers to domain CONTROLRIGHT= Reset Password,Validated write to DNS host name,Validated write to service principal name, Account Restrictions* *** ** ** Thanks for the replies in advance, EZ ** ** ** ** Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage002.jpg
