DSACLS and joining a domain

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

I am wondering what the minimum permissions needed to join a computer to a
domain are? I would like to autocreate computer objects using dsadd, and
them set the appropriate permissions using dsacls. Seems easy enough, but
it is pretty slow. When adding a computer in ADUC, and specifying the
group/user who can join it to the domain, it seems to associated many
unnecessary permissions. Maybe they are all needed, but mimicing these
settings with dsacls takes for ever. Any ideas?

Thanks a bunch.

Ed
5 answers Last reply
More about dsacls joining domain
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I believe the user only needs create computer objects to join computers to
    the domain. --- Steve


    "Ed Little" <SPAMlittle_eddieME@hotmail.comNOT> wrote in message
    news:1jaee.7499$uE3.84@charlie.risq.qc.ca...
    > Hello,
    >
    > I am wondering what the minimum permissions needed to join a computer to a
    > domain are? I would like to autocreate computer objects using dsadd, and
    > them set the appropriate permissions using dsacls. Seems easy enough, but
    > it is pretty slow. When adding a computer in ADUC, and specifying the
    > group/user who can join it to the domain, it seems to associated many
    > unnecessary permissions. Maybe they are all needed, but mimicing these
    > settings with dsacls takes for ever. Any ideas?
    >
    > Thanks a bunch.
    >
    > Ed
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    By the looks of it top posting is the norm here so here we go...

    Thanks Steve, but I am a little confused.

    Is "create computer objects" a "right" that is able to be set using
    something like dsacl (or even setacl)? I have a feeling I will have to
    mimic this ACE with many iterations of dsacls, which has been very
    inefficient for me. It takes upwards of 20 seconds to apply something like
    "Reset Password" to one group for one computer object.

    Maybe there are other ways to achieve this goal? I'm sure others out there
    automate the creation of computer objects and apply rights to "join the
    domain" at the same time. It seems a very "normal" thing to do. I was
    hoping for a simple batch file approach. Something like...

    @echo off
    for /f "delims=" %%A in (comp_names.txt) do (
    dsacls "CN=%%A,OU=Computers,DC=Domain,DC=CA" /I:T /G "Domain\Add Computers
    Goup:CA;Reset Password;"
    dsacls...
    dsacls...
    )

    I guess I will look to a PERL or VBScript solution instead. Any insight?

    Thanks,
    Ed.

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:uPCXQZZUFHA.3184@TK2MSFTNGP15.phx.gbl...
    > I believe the user only needs create computer objects to join computers to
    > the domain. --- Steve
    >
    >
    > "Ed Little" <SPAMlittle_eddieME@hotmail.comNOT> wrote in message
    > news:1jaee.7499$uE3.84@charlie.risq.qc.ca...
    > > Hello,
    > >
    > > I am wondering what the minimum permissions needed to join a computer to
    a
    > > domain are? I would like to autocreate computer objects using dsadd,
    and
    > > them set the appropriate permissions using dsacls. Seems easy enough,
    but
    > > it is pretty slow. When adding a computer in ADUC, and specifying the
    > > group/user who can join it to the domain, it seems to associated many
    > > unnecessary permissions. Maybe they are all needed, but mimicing these
    > > settings with dsacls takes for ever. Any ideas?
    > >
    > > Thanks a bunch.
    > >
    > > Ed
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Create computer objects is an special permission in Active Directory that
    you will see on a container such as the domain container or an
    Organizational Unit in advanced page when you add a group to or edit
    permissions for a group. The user right for add workstations to the domain
    will only allow a user to add ten workstations to the domain by default. A
    user does not need that user right if they have the create computer objects
    permission. As far as scripts you might take a look in the Windows Scripting
    Center. --- Steve


    "Eddie Little" <little_eddieSPAM@MEhotmail.NOTcom> wrote in message
    news:W7WdnTGGhIvdI-ffRVn-sg@golden.net...
    > By the looks of it top posting is the norm here so here we go...
    >
    > Thanks Steve, but I am a little confused.
    >
    > Is "create computer objects" a "right" that is able to be set using
    > something like dsacl (or even setacl)? I have a feeling I will have to
    > mimic this ACE with many iterations of dsacls, which has been very
    > inefficient for me. It takes upwards of 20 seconds to apply something
    > like
    > "Reset Password" to one group for one computer object.
    >
    > Maybe there are other ways to achieve this goal? I'm sure others out
    > there
    > automate the creation of computer objects and apply rights to "join the
    > domain" at the same time. It seems a very "normal" thing to do. I was
    > hoping for a simple batch file approach. Something like...
    >
    > @echo off
    > for /f "delims=" %%A in (comp_names.txt) do (
    > dsacls "CN=%%A,OU=Computers,DC=Domain,DC=CA" /I:T /G "Domain\Add Computers
    > Goup:CA;Reset Password;"
    > dsacls...
    > dsacls...
    > )
    >
    > I guess I will look to a PERL or VBScript solution instead. Any insight?
    >
    > Thanks,
    > Ed.
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:uPCXQZZUFHA.3184@TK2MSFTNGP15.phx.gbl...
    >> I believe the user only needs create computer objects to join computers
    >> to
    >> the domain. --- Steve
    >>
    >>
    >> "Ed Little" <SPAMlittle_eddieME@hotmail.comNOT> wrote in message
    >> news:1jaee.7499$uE3.84@charlie.risq.qc.ca...
    >> > Hello,
    >> >
    >> > I am wondering what the minimum permissions needed to join a computer
    >> > to
    > a
    >> > domain are? I would like to autocreate computer objects using dsadd,
    > and
    >> > them set the appropriate permissions using dsacls. Seems easy enough,
    > but
    >> > it is pretty slow. When adding a computer in ADUC, and specifying the
    >> > group/user who can join it to the domain, it seems to associated many
    >> > unnecessary permissions. Maybe they are all needed, but mimicing these
    >> > settings with dsacls takes for ever. Any ideas?
    >> >
    >> > Thanks a bunch.
    >> >
    >> > Ed
    >> >
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Just wanted to clarify something.

    What really happens with this user right is the DACL check is ignored when
    an authenticated user joins a workstation to the domain. This check is
    ignored for up to the first ten workstations the user joins to the domain.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;243327
    Windows will do a DACL check on the 11th attempt and enforce the DACL for
    "create computer objects" permission.


    --
    Glenn L
    CCNA, MCSE 2000/2003 + Security

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:OLTB61eUFHA.3596@TK2MSFTNGP14.phx.gbl...
    > Create computer objects is an special permission in Active Directory that
    > you will see on a container such as the domain container or an
    > Organizational Unit in advanced page when you add a group to or edit
    > permissions for a group. The user right for add workstations to the domain
    > will only allow a user to add ten workstations to the domain by default. A
    > user does not need that user right if they have the create computer
    > objects permission. As far as scripts you might take a look in the Windows
    > Scripting Center. --- Steve
    >
    >
    >
    > "Eddie Little" <little_eddieSPAM@MEhotmail.NOTcom> wrote in message
    > news:W7WdnTGGhIvdI-ffRVn-sg@golden.net...
    >> By the looks of it top posting is the norm here so here we go...
    >>
    >> Thanks Steve, but I am a little confused.
    >>
    >> Is "create computer objects" a "right" that is able to be set using
    >> something like dsacl (or even setacl)? I have a feeling I will have to
    >> mimic this ACE with many iterations of dsacls, which has been very
    >> inefficient for me. It takes upwards of 20 seconds to apply something
    >> like
    >> "Reset Password" to one group for one computer object.
    >>
    >> Maybe there are other ways to achieve this goal? I'm sure others out
    >> there
    >> automate the creation of computer objects and apply rights to "join the
    >> domain" at the same time. It seems a very "normal" thing to do. I was
    >> hoping for a simple batch file approach. Something like...
    >>
    >> @echo off
    >> for /f "delims=" %%A in (comp_names.txt) do (
    >> dsacls "CN=%%A,OU=Computers,DC=Domain,DC=CA" /I:T /G "Domain\Add
    >> Computers
    >> Goup:CA;Reset Password;"
    >> dsacls...
    >> dsacls...
    >> )
    >>
    >> I guess I will look to a PERL or VBScript solution instead. Any insight?
    >>
    >> Thanks,
    >> Ed.
    >>
    >> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    >> news:uPCXQZZUFHA.3184@TK2MSFTNGP15.phx.gbl...
    >>> I believe the user only needs create computer objects to join computers
    >>> to
    >>> the domain. --- Steve
    >>>
    >>>
    >>> "Ed Little" <SPAMlittle_eddieME@hotmail.comNOT> wrote in message
    >>> news:1jaee.7499$uE3.84@charlie.risq.qc.ca...
    >>> > Hello,
    >>> >
    >>> > I am wondering what the minimum permissions needed to join a computer
    >>> > to
    >> a
    >>> > domain are? I would like to autocreate computer objects using dsadd,
    >> and
    >>> > them set the appropriate permissions using dsacls. Seems easy enough,
    >> but
    >>> > it is pretty slow. When adding a computer in ADUC, and specifying the
    >>> > group/user who can join it to the domain, it seems to associated many
    >>> > unnecessary permissions. Maybe they are all needed, but mimicing
    >>> > these
    >>> > settings with dsacls takes for ever. Any ideas?
    >>> >
    >>> > Thanks a bunch.
    >>> >
    >>> > Ed
    >>> >
    >>>
    >>>
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Create computer object allows the creation of the object in AD, it doesn't allow
    join by default. However as mentioned later in the thread, by default, auth
    users can join 10 machines.

    To get the permissions needed to do the join, I would recommend manually
    creating a computer account and delegating the join in ADUC and then looking at
    the resulting permissions. I did this several years ago for 2K for a script I
    wrote to do this stuff but I believe it may have changed for K3.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Eddie Little wrote:
    > By the looks of it top posting is the norm here so here we go...
    >
    > Thanks Steve, but I am a little confused.
    >
    > Is "create computer objects" a "right" that is able to be set using
    > something like dsacl (or even setacl)? I have a feeling I will have to
    > mimic this ACE with many iterations of dsacls, which has been very
    > inefficient for me. It takes upwards of 20 seconds to apply something like
    > "Reset Password" to one group for one computer object.
    >
    > Maybe there are other ways to achieve this goal? I'm sure others out there
    > automate the creation of computer objects and apply rights to "join the
    > domain" at the same time. It seems a very "normal" thing to do. I was
    > hoping for a simple batch file approach. Something like...
    >
    > @echo off
    > for /f "delims=" %%A in (comp_names.txt) do (
    > dsacls "CN=%%A,OU=Computers,DC=Domain,DC=CA" /I:T /G "Domain\Add Computers
    > Goup:CA;Reset Password;"
    > dsacls...
    > dsacls...
    > )
    >
    > I guess I will look to a PERL or VBScript solution instead. Any insight?
    >
    > Thanks,
    > Ed.
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:uPCXQZZUFHA.3184@TK2MSFTNGP15.phx.gbl...
    >
    >>I believe the user only needs create computer objects to join computers to
    >>the domain. --- Steve
    >>
    >>
    >>"Ed Little" <SPAMlittle_eddieME@hotmail.comNOT> wrote in message
    >>news:1jaee.7499$uE3.84@charlie.risq.qc.ca...
    >>
    >>>Hello,
    >>>
    >>>I am wondering what the minimum permissions needed to join a computer to
    >
    > a
    >
    >>>domain are? I would like to autocreate computer objects using dsadd,
    >
    > and
    >
    >>>them set the appropriate permissions using dsacls. Seems easy enough,
    >
    > but
    >
    >>>it is pretty slow. When adding a computer in ADUC, and specifying the
    >>>group/user who can join it to the domain, it seems to associated many
    >>>unnecessary permissions. Maybe they are all needed, but mimicing these
    >>>settings with dsacls takes for ever. Any ideas?
    >>>
    >>>Thanks a bunch.
    >>>
    >>>Ed
    >>>
    >>
    >>
    >
    >
Ask a new question

Read More

Domain Computers Permissions Windows