|
|
||||||
|
#1
08-18-08, 04:19 AM
|
|
|
|
|
Hi ALL,
I'd like to configure the security settings for the computer accounts that only allow domain user to join domain (nothing else, including changing computer account name,etc.). I tried to create a dummy computer account using (Active Directory Users and Computers -> New Computer Wizard) and specified a domain user account in the "The following user or group can join this computer to a domain". The domain account can join domain but also can modify the computer name (Simply change the computer name in the Windows client, the computer account will be modified after reboot). Do anyone know what is the minimum security settings of the computer account object so that the domain account can only have join domain privilege, no others, especially change the computer account name? TIA M C |
|
|
|
#2
08-18-08, 07:05 AM
|
|
|
|
|
Not sure if that is possible, but perhaps this will set you on the right
track to explore. The permissions required to join a computer to the domain are shown in KB 932455. I prefer not to use the Delegation Wizard for various reasons; the same thing can be done using the Security tab in the Properties of the OU containing the computer accounts. Not sure exactly which "Properties" a user needs to be able to "Write" to join a computer to a domain, but I do know that at least some of them are written during the "join" operation - if I leave out the "Write All Properties", users can't join the computer to the domain - presumably a subset would work, but I don't know which ones. 1. in the Security tab, click Advanced... 2. click Add... 3. key the name of the user or group you want to grant the permissions to; click OK 4. from the Apply onto: box, select Computer Objects 5. add check marks in the Allow column in these rows: Write All Properties (or select the Properties tab to grant Write to only those that are required) Reset Password Validate write to DNS host name Validate write to service principal name |
|
#3
08-18-08, 05:47 PM
|
|
|
|
|
|
| Similar Threads | |
| Migrating Outlook settings from local user account to domain user accounts Howdy - we are in the process of moving all of our workstations onto a WS2k3 controlled domain. Most of our users have Outlook 2003 as the mail client, and I'm trying to... |
|
| Allowing certain user to join domain Hi! How do i enable one of my user to join the client pc into our domain? I've tried to enable him to have the access right to create and delete computer object within the... |
|
| allowing a user rights only to join pcs to domain and install driv hi i have a requirement. i need to give a user only rights to join Pcs to the domain and also allow her to install drivers etc. he is currently doing it as admin which i... |
|
| Keeping User Account settings after migrating computer account to new domain I am migrating my desktop and my user from an NT (LANSA_NT) to a AD (lansa.na) Domain. When I sign on as davidn, I get a new user account on my desktop. How can I make my... |
|
| Can't see domain user accounts from client computer on the domain I'm running Windows 2003 Standard Edition, with an out-of-the-box AD install, on my DC. I added a separate computer to the domain and everything seemed to work fine, as it... |
|
|
All times are GMT. The time now is 08:58 AM. | Privacy Policy
|
Minimum security settings of computer accounts for allowing domain user account to join domain