Allowing users to *only* add computers to the domain

Discussion in 'Active Directory' started by Baboon, Apr 16, 2009.

  1. Baboon

    Baboon Guest

    We have a couple of different levels of IT worker in my environment. For the
    most trusted workers who need to add multiple computers to the domain, we
    have given them the following rights on the Computers container:
    Create/Delete Computer Objects on "This object and all descendant objects"
    Full Control on "Descendant Computer objects"
    Also, individuals have Full Control of the OUs that they manage. So those
    people are able to join computers to the domain even if the computer object
    already exists in the Computers container or their own OU.

    The problem is that we would like a slightly less trusted group to be able
    to add computers to the domain, but not delete them. Ideally they would be
    able to do this even if the computer account already exists in the Computers
    container or the OU that they help manage. I'm wondering if this would work:
    Create Computer Objects on "This object and all descendant objects".
    Some sort of special permissions on "Descendant Computer objects" that would
    include "Change Password" and some other rights.

    Thanks.
     
    Baboon, Apr 16, 2009
    #1
    1. Advertisements


  2. That's kind of tricky. Keep in mind, regular user accounts can join a
    computer to a domain, but they can't update an account already installed.
    They have the ability to add it to the computers container by default. But
    if you need them to overwrite a computer account already installed, they
    would need more permissions, that would of course include deleting them.

    I would suggest that the less than trusted group does not have the ability
    to update existing computer objects and require them to put in a service
    request to the group that can either delete the existing object, or have
    them join/rejoin the machine to the domain.


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 16, 2009
    #2
    1. Advertisements

  3. Baboon

    Marcin Guest

    Take a look at the article posted by Jorge Pinto regarding delegation at
    http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx (section
    1).
    In essence, waht you can do is to pre-create computer accounts that
    subsequently would be joined to the domain by members of the "slightly less
    trusted group". The privileges required by this group would be limited to
    "Reset Password","Validated write to DNS host name","Validated write to
    service principal name", "Account Restrictions"
    In addition, you should revoke "Add workstations to domain" from
    Authenticated Users group - and grant it to the "most trusted workers" group
    instead...

    hth
    Marcin
     
    Marcin, Apr 16, 2009
    #3
  4. Meinolf Weber [MVP-DS], Apr 17, 2009
    #4
  5. Jorge de Almeida Pinto [MVP - DS], Apr 17, 2009
    #5
  6. Baboon

    Baboon Guest

    Thanks to everyone for the replies.

    Your suggestion for requiring a service request to the more trusted group is
    what I already had in mind, but I was afraid of resistance. Management is in
    agreement, so I don't have to do any further work.

    There was one thing that surprised me about this...
    For the less trusted group, I added the following access control entry (and
    nothing more) to the Computers container:
    - Create Computer Objects on "This object and all descendant objects". -
    In testing, an account belonging only to that group was successful in adding
    a new machine to the domain. This account previously had Account Operator
    rights, thus it had almost unlimited rights to join computers and had been
    used to add hundreds of computers in the past. Would this ACE have gotten
    around the 10 computer limit for users in the group?
     
    Baboon, Apr 21, 2009
    #6

  7. Good that management is buying into it. That is one big obstacle that needs
    to be overcome in many companies, and glad you have them on your side.

    As for delegation, yes, that will override the 10 add limit.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 21, 2009
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.