ms-DS-MachineAccountQuota question

  • Thread starter Thread starter Carl Chipman
  • Start date Start date
C

Carl Chipman

Ok, most of the sites I've found show you how to change this number to
allow authenticated users to add computers to the domain... where can I find
out how MANY computers a particular user has added?
 
I haven't tried this yet, but I believe you can export the user account to a
text file using either LDIFDE or CSVDE and should show up in the attributes.
To create a report on a large scale, would need to script it to pull that
info out.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hmmm I can't think of any attribute that tracks that actually. I would bet it is something internal that we don't have
access to.

--
Joe Richards
www.joeware.net
 
Hmm, I was taking a WAG at this one and assumed it would show up as a
counter associated with an attribute.
Maybe you're right is's somethihng internal and we *may* have access, maybe
thru ADSI or ntdsutil?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Joe Richards said:
Hmmm I can't think of any attribute that tracks that actually. I would bet
Click to expand...
it is something internal that we don't have
 
Yes, such an attribute exists! The mS-DS-CreatorSID of computer objects.
It is NOT set, if the computer has been added to domain by an administrator,
and has the user's SID in other case. (tested ;-)
 
Is this attribute only populated when the quota is active? I.E. If someone precreates a account and joins it is it
filled?

--
Joe Richards
www.joeware.net
 
below

Joe Richards said:
Is this attribute only populated when the quota is active? I.E. If someone precreates a account and joins it is it
Click to expand...
quota = ms-DS-MachineAccountQuota, yes?

"active" = "> 0"? It does not matter. If quota is 0, normal users cannot add computers to domain.

"Someone" CANNOT _precreate_ an account, because it has no rights to do such things! (no rights in AD) This is a totally different
process. I guess that if a user adds a computer to domain, the system creates a computer account in AD (from "the user name") using
_its own_ rights.
 
Correct, I understand how ms-DS-MachineAccountQuota works.

However it is possible for a normal user to have delegated rights within a specific subout to create machine accounts
and I was wondering if you had done anything in that sense and whether or not the precreated account will go against the
quota? I expect it wouldn't but haven't personally tested it. I.E. The normal user could have no rights other than
through ms-ds-maq to create something in the computers container but if they had delegated rights in an OU they could
precreate there and join the account. Also in that case do they have to specifically set the ACL's to allow the join to
them or their group OR will the ms-ds-maq kick in there? And if so does it then stamp that attribute.

--
Joe Richards
www.joeware.net
 
below:
Joe Richards said:
Correct, I understand how ms-DS-MachineAccountQuota works.

However it is possible for a normal user to have delegated rights within a specific subout to create machine accounts
Click to expand...
yes, sure.
AFAIK, a normal user, who has been delegated rights to add computers into domain, doesn't change the mS-DS-CreatorSID's value. But I
haven't yet tested this myself.
I don't know how delegation relates the ms-DS-MachineAccountQuota attribute. I think that a user with delegated rights ignores its
value.
It isn't difficult to test this :-)
 
Back
Top