dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
783

jjwaldick
join:2005-11-01
St Williams, ON

jjwaldick

Member

[2K3] WIN2003 Server AD Question: MS Server 2003 R2 x64 Edition

I would like to allow curtain users the ability to add computers to the domain, but only if the computer object has been created by domain admin. This would allow me to control the network names of the computers and the amount of computers joining my domain.

Hopefully someone can help me. Thanks

psafux
Premium Member
join:2005-11-10

psafux

Premium Member

Re: [2K3] WIN2003 Server AD Question: MS Server 2003 R2 x64 Edit

Not an AD expert but I have dabbled in it a fair amount. I think those two options are mutually exclusive. You can assign specific users the ability to add computers to the domain or you can deny the ability thus requiring the AD admin, presumably you by the context, to add them as needed.

If it's a small network you can monitor the active computers list easily enough and deal with individuals who are abusing the process individually. If there is a security reason to keep certain systems off the network I would be hesitant to allows others the "add to domain' privilege.

In a larger network there are ways to query AD to return a list of newly added systems.

jjwaldick
join:2005-11-01
St Williams, ON

jjwaldick

Member

Thanks for the reply.

Would you know the exact location or procedure to set this up. Just to clarify my question, I want someone to be able to add a computer to the domain, but only if the trusted computer already exist in the computer OU. If it does not exist it will deny until the computer is created in the OU, thus allowing the network admin to control what computer names are joined to the domain.

Thanks

psafux
Premium Member
join:2005-11-10

psafux

Premium Member

Sorry if my reply was confusing, I can see how it would be. As far as I know if you grant permission to someone to add a computer to the domain they will be able to do it regardless of whether it exists as an object already.

To put this in another perspective, it would be like granting a user access to a folder but they can only access it if they clear it with you first -- as you know it doesn't work that way. Permissions are all or none for the permission & object.

If you grant someone the ability to do something they will be able to do it. The system will presume the permission grantor trusts the individual. There is no partial trust with permissions.

I would be humbled & eager to see a different reply explaining how this is doable. As I said earlier I am far from an expert, just wanted to offer my cent or two.

jjwaldick
join:2005-11-01
St Williams, ON

jjwaldick

Member

My friends company network admins some how setup their network in the way I described. Admin accounts can go into active directory and add computers in the computer OU. Once any admin adds the trusted computer in AD, then the joindomain account can join the computer to the domain. But if the computer does not exist in AD first, then it can not join. Plus that joindomain account does not have permission to go into active directly and create the computer in the trust computer list.

psafux
Premium Member
join:2005-11-10

psafux

Premium Member

I would ask your friends company network admin how they did it honestly if I were in your shoes. They seem to be the missing key to your puzzle.

WireHead
I drive to fast
Premium Member
join:2001-05-09
Muncie, IN

WireHead to jjwaldick

Premium Member

to jjwaldick
Using ASDI edit, modify the quantity of computers a user can join to the domain to 0 (zero). From this point on only users within a group properly configured to do so and the admin(s) groups are allowed to join them to the domain. Non admins will only be able to join the domain if the name already exists. Admins will be unrestricted.

jjwaldick
join:2005-11-01
St Williams, ON

jjwaldick

Member

Thanks. I will give it a try and reply if this resolves my question.

WireHead
I drive to fast
Premium Member
join:2001-05-09
Muncie, IN

WireHead to jjwaldick

Premium Member

to jjwaldick
No applause, just throw money.

jjwaldick
join:2005-11-01
St Williams, ON

jjwaldick

Member

What is the attribute name I am looking for that represents quantity of computers. Also do I modify the CN=Builtin>CN=Users or CN=Users>CN=Domain Users.

WireHead
I drive to fast
Premium Member
join:2001-05-09
Muncie, IN

WireHead

Premium Member

Edit the domain NC node (DC) modify ms-DS-MachineAccountQuota