|reply to psafux |
Re: [2K3] WIN2003 Server AD Question: MS Server 2003 R2 x64 Edit
Thanks for the reply.
Would you know the exact location or procedure to set this up. Just to clarify my question, I want someone to be able to add a computer to the domain, but only if the trusted computer already exist in the computer OU. If it does not exist it will deny until the computer is created in the OU, thus allowing the network admin to control what computer names are joined to the domain.
Sorry if my reply was confusing, I can see how it would be. As far as I know if you grant permission to someone to add a computer to the domain they will be able to do it regardless of whether it exists as an object already.
To put this in another perspective, it would be like granting a user access to a folder but they can only access it if they clear it with you first -- as you know it doesn't work that way. Permissions are all or none for the permission & object.
If you grant someone the ability to do something they will be able to do it. The system will presume the permission grantor trusts the individual. There is no partial trust with permissions.
I would be humbled & eager to see a different reply explaining how this is doable. As I said earlier I am far from an expert, just wanted to offer my cent or two.
My friends company network admins some how setup their network in the way I described. Admin accounts can go into active directory and add computers in the computer OU. Once any admin adds the trusted computer in AD, then the joindomain account can join the computer to the domain. But if the computer does not exist in AD first, then it can not join. Plus that joindomain account does not have permission to go into active directly and create the computer in the trust computer list.
I would ask your friends company network admin how they did it honestly if I were in your shoes. They seem to be the missing key to your puzzle.