|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Permissions to join machine to domainHello Microsoft,
I want to delegate the following control to a group. I have to meet the following criteria 1. Group must be able to join a machine in his/her OU to the domain. 2. UNABLE to change/create/reset/delete or do anything else to the computer accounts in that OU. Can anyone break down which granular permissions I need to set on the OU..... Thanks In news:52863A74-AA6E-47BE-907A-F4942603443F@microsoft.com, Drew <D***@discussions.microsoft.com> stated, which I commented on below:> Hello Microsoft, By default, a user can add up to 10 computers in a domain. That can be > > I want to delegate the following control to a group. I have to meet > the following criteria > > 1. Group must be able to join a machine in his/her OU to the domain. > 2. UNABLE to change/create/reset/delete or do anything else to the > computer accounts in that OU. > > Can anyone break down which granular permissions I need to set on the > OU..... > > Thanks changed in ADSI Edit, DomainNC, rt-click properties of the domain.com name, scroll down to (memory now...) dsmachine quota. By default it's not set, but it's 10. For delegation and more info on the above, see the first one below. 251335 - Domain Users Cannot Join Workstation or Server to a Domain: http://support.microsoft.com/?id=251335 Download details Best Practices for Delegating Active Directory Administration: http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en 315676 - HOW TO- Delegate Administrative Authority in Windows 2000 (extra links in this one): http://support.microsoft.com/default.aspx?scid=kb;en-us;315676 Q279723 - How to Grant Help Desk Personnel the Specific Right to Unlock Locked User Accounts: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q279723& 294777 - How to Delegate Group Policy Control to users in Trusted Domain: http://support.microsoft.com/default.aspx?scid=kb;en-us;294777 221577 - HOW TO- Delegate Authority for Editing a Group Policy Object (GPO): http://support.microsoft.com/default.aspx?scid=kb;en-us;221577 -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Having difficulty reading or finding responses to your post? Instead of the website you're using, I suggest to use OEx (Outlook Express or any other newsreader), and configure a news account, pointing to news.microsoft.com. This is a direct link to the Microsoft Public Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you to easily find, track threads, cross-post, sort by date, poster's name, watched threads or subject. Not sure how? It's easy: How to Configure OEx for Internet News http://support.microsoft.com/?id=171164 Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft MVP - Windows Server Directory Services Microsoft Certified Trainer Assimilation Imminent. Resistance is Futile. Infinite Diversities in Infinite Combinations. The only thing in life is change. Anything less is a blackhole consuming unnecessary energy. =========================== Thanks but those links really didn't help.
I'm looking for just a list of ACL/ACE permissions to allow only joining to the domain. Show quoteHide quote "Ace Fekay [MVP]" wrote: > In news:52863A74-AA6E-47BE-907A-F4942603443F@microsoft.com, > Drew <D***@discussions.microsoft.com> stated, which I commented on below: > > Hello Microsoft, > > > > I want to delegate the following control to a group. I have to meet > > the following criteria > > > > 1. Group must be able to join a machine in his/her OU to the domain. > > 2. UNABLE to change/create/reset/delete or do anything else to the > > computer accounts in that OU. > > > > Can anyone break down which granular permissions I need to set on the > > OU..... > > > > Thanks > > By default, a user can add up to 10 computers in a domain. That can be > changed in ADSI Edit, DomainNC, rt-click properties of the domain.com name, > scroll down to (memory now...) dsmachine quota. By default it's not set, but > it's 10. > > For delegation and more info on the above, see the first one below. > > 251335 - Domain Users Cannot Join Workstation or Server to a Domain: > http://support.microsoft.com/?id=251335 > > Download details Best Practices for Delegating Active Directory > Administration: > http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en > > 315676 - HOW TO- Delegate Administrative Authority in Windows 2000 (extra > links in this one): > http://support.microsoft.com/default.aspx?scid=kb;en-us;315676 > > Q279723 - How to Grant Help Desk Personnel the Specific Right to Unlock > Locked User Accounts: > http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q279723& > > 294777 - How to Delegate Group Policy Control to users in Trusted Domain: > http://support.microsoft.com/default.aspx?scid=kb;en-us;294777 > > 221577 - HOW TO- Delegate Authority for Editing a Group Policy Object (GPO): > http://support.microsoft.com/default.aspx?scid=kb;en-us;221577 > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Having difficulty reading or finding responses to your post? > Instead of the website you're using, I suggest to use OEx (Outlook Express > or any other newsreader), and configure a news account, pointing to > news.microsoft.com. This is a direct link to the Microsoft Public > Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you > to easily find, track threads, cross-post, sort by date, poster's name, > watched threads or subject. > > Not sure how? It's easy: > How to Configure OEx for Internet News > http://support.microsoft.com/?id=171164 > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP > Microsoft MVP - Windows Server Directory Services > Microsoft Certified Trainer > Assimilation Imminent. Resistance is Futile. > Infinite Diversities in Infinite Combinations. > > The only thing in life is change. Anything less is a blackhole consuming > unnecessary energy. > =========================== > > > In news:A221941E-0DEE-47B6-AD47-968D1195F7AF@microsoft.com, Drew <D***@discussions.microsoft.com> stated, which I commented on below:> Thanks but those links really didn't help. Sorry, I don;t have a link for that. Maybe someone else can post them, if > > I'm looking for just a list of ACL/ACE permissions to allow only > joining to the domain. there is one that exists. But keep in mind as I mentioned earlier, by default, any user can add up to 10 computers in a domain. Ace 
Other interesting topics
How to create users using VBS from an Excel sheet.
ADAM Replication - 1 instance off issue New Site DC [WildPacket] Disabling a particular supported control in AD[AM] Xp firewall on if not in domain DC Issues ADAM and perfmon NSLookup - [WildPacket] Change Active Directory Information Problems installing Active Directory Users and Computers on Windows 64bit |
|||||||||||||||||||||||
