Archived from groups: microsoft.public.win2000.security (
More info?)
Just wanted to clarify something.
What really happens with this user right is the DACL check is ignored when
an authenticated user joins a workstation to the domain. This check is
ignored for up to the first ten workstations the user joins to the domain.
http://support.microsoft.com/default.aspx?scid=kb;en-us;243327
Windows will do a DACL check on the 11th attempt and enforce the DACL for
"create computer objects" permission.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OLTB61eUFHA.3596@TK2MSFTNGP14.phx.gbl...
> Create computer objects is an special permission in Active Directory that
> you will see on a container such as the domain container or an
> Organizational Unit in advanced page when you add a group to or edit
> permissions for a group. The user right for add workstations to the domain
> will only allow a user to add ten workstations to the domain by default. A
> user does not need that user right if they have the create computer
> objects permission. As far as scripts you might take a look in the Windows
> Scripting Center. --- Steve
>
>
>
> "Eddie Little" <little_eddieSPAM@MEhotmail.NOTcom> wrote in message
> news:W7WdnTGGhIvdI-ffRVn-sg@golden.net...
>> By the looks of it top posting is the norm here so here we go...
>>
>> Thanks Steve, but I am a little confused.
>>
>> Is "create computer objects" a "right" that is able to be set using
>> something like dsacl (or even setacl)? I have a feeling I will have to
>> mimic this ACE with many iterations of dsacls, which has been very
>> inefficient for me. It takes upwards of 20 seconds to apply something
>> like
>> "Reset Password" to one group for one computer object.
>>
>> Maybe there are other ways to achieve this goal? I'm sure others out
>> there
>> automate the creation of computer objects and apply rights to "join the
>> domain" at the same time. It seems a very "normal" thing to do. I was
>> hoping for a simple batch file approach. Something like...
>>
>> @echo off
>> for /f "delims=" %%A in (comp_names.txt) do (
>> dsacls "CN=%%A,OU=Computers,DC=Domain,DC=CA" /I:T /G "Domain\Add
>> Computers
>> Goup:CA;Reset Password;"
>> dsacls...
>> dsacls...
>> )
>>
>> I guess I will look to a PERL or VBScript solution instead. Any insight?
>>
>> Thanks,
>> Ed.
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:uPCXQZZUFHA.3184@TK2MSFTNGP15.phx.gbl...
>>> I believe the user only needs create computer objects to join computers
>>> to
>>> the domain. --- Steve
>>>
>>>
>>> "Ed Little" <SPAMlittle_eddieME@hotmail.comNOT> wrote in message
>>> news:1jaee.7499$uE3.84@charlie.risq.qc.ca...
>>> > Hello,
>>> >
>>> > I am wondering what the minimum permissions needed to join a computer
>>> > to
>> a
>>> > domain are? I would like to autocreate computer objects using dsadd,
>> and
>>> > them set the appropriate permissions using dsacls. Seems easy enough,
>> but
>>> > it is pretty slow. When adding a computer in ADUC, and specifying the
>>> > group/user who can join it to the domain, it seems to associated many
>>> > unnecessary permissions. Maybe they are all needed, but mimicing
>>> > these
>>> > settings with dsacls takes for ever. Any ideas?
>>> >
>>> > Thanks a bunch.
>>> >
>>> > Ed
>>> >
>>>
>>>
>>
>>
>
>