Prevent from Creating Computer Objects

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

How can I prevent Somebody from creating Computer objects throughout the
Active Directory?
no matter what permissions I set,a user named userA (belonging to "domain
users" group only) always is able to join computers to domain using his/her
username/pass ; and a computer object is created in "Computers" container.
I even set "everyone"s "full controll" permission to "deny" on computer
container;but still he/she can attach his/her computer to domain with any
computer name,causing a computer account to be created in Computer container.
what can I do to block creation of objects in default containers in Windows
2000? specially "Computers" container?
 
thank you,maybe this help me maybe not;but it was a useful tip that I believe
comes handy sometime.
 
Set the attribute specified to 0 and authenticated users will not be
able to arbitrarily add machines to your domain.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
does is have any negative impact on Administration-delagated OU's? (of course
the kb article suggests No;but I want to make sure.)
another question:
suppose i did this ,and then created an OU and delegated the control of that
OU to a user.which of the following possible senarios happens on user's
attempt to join a workstation to domain ?

A.a computer object is created in that OU and workstation is jointed to
domain.
B.the workstation is joined to that domain ONLY IF a prevoius computer
account is created prior to domain-join attempt in that OU;otherwise it will
fail
C.if found a matching computer account,the workstaion joins and uses that
account,otherwise a computer object is created in the default "computers"
container (the default behavour which I want to prevent)
 
No that has no impact on delegation. However, you have to understand how
the join process works. If someone doesn't have the rights to join a
computer to the computers OU (or whatever OU the default join is
redirected to) then they won't be able to join a machine to AD unless
they do it with a scripted join process utilizing NETDOM or precreating
the account and specifying who can do the join.

So to answer your points directly

A will not occur unless the delegated admin uses NETDOM.

B is likely unless again, the delegated admin uses NETDOM and specifies
what OU to create the computer object in.

I haven't tested C, you can easily test if you can get it to work this
way, set the quota mentioned previously to 0 and then grant create child
for computers to the computers container for the group you want to do
the joins. See if it will then allow you to create a computer there
during a normal join.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Dear Joe
Thank you . your tip along with "add workstation to domain" articles help me
solve my problem.

FYI:
A: did not happend,as you told me.
B: happend,provided that the user has proper permissions to the
already-created computer object (I mean those 4 permissions that are granted
when you set "The following user and group can join this computer to a
domain").
C: happend,provided that the user has proper permissions on "Computers"
Container;despite having his qouta to 0;which according to this link,is the
correct behavour
http://technet2.microsoft.com/Windo...d95d-4176-a1ca-bc629f1ca6981033.mspx?mfr=true

thank you again.
 
Back
Top