Minimum security settings of computer accounts for allowing domain user account to join domain

#1 18-08-2008

Hi ALL,

I'd like to configure the security settings for the computer accounts that
only allow domain user to join domain (nothing else, including changing
computer account name,etc.). I tried to create a dummy computer account
using (Active Directory Users and Computers -> New Computer Wizard) and
specified a domain user account in the "The following user or group can join
this computer to a domain". The domain account can join domain but also can
modify the computer name (Simply change the computer name in the Windows
client, the computer account will be modified after reboot). Do anyone know
what is the minimum security settings of the computer account object so that
the domain account can only have join domain privilege, no others,
especially change the computer account name?

TIA

M C

#2 18-08-2008

Not sure if that is possible, but perhaps this will set you on the right
track to explore.

The permissions required to join a computer to the domain are shown in KB
932455. I
prefer not to use the Delegation Wizard for various reasons; the same thing
can be done using the Security tab in the Properties of the OU containing
the computer accounts.

Not sure exactly which "Properties" a user needs to be able to "Write" to
join a computer to a domain, but I do know that at least some of them are
written during the "join" operation - if I leave out the "Write All
Properties", users can't join the computer to the domain - presumably a
subset would work, but I don't know which ones.

1. in the Security tab, click Advanced...
2. click Add...
3. key the name of the user or group you want to grant the permissions to;
click OK
4. from the Apply onto: box, select Computer Objects
5. add check marks in the Allow column in these rows:
Write All Properties (or select the Properties tab to grant Write to only
those that are required)
Reset Password
Validate write to DNS host name
Validate write to service principal name

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

"M C" <abc@def.ghi> wrote in message
news:%23NrMqEOAJHA.3804@TK2MSFTNGP05.phx.gbl...
> Hi ALL,
>
> I'd like to configure the security settings for the computer accounts that
> only allow domain user to join domain (nothing else, including changing
> computer account name,etc.). I tried to create a dummy computer account
> using (Active Directory Users and Computers -> New Computer Wizard) and
> specified a domain user account in the "The following user or group can
> join this computer to a domain". The domain account can join domain but
> also can modify the computer name (Simply change the computer name in the
> Windows client, the computer account will be modified after reboot). Do
> anyone know what is the minimum security settings of the computer account
> object so that the domain account can only have join domain privilege, no
> others, especially change the computer account name?
>
> TIA
>
> M C
>

#3 18-08-2008

see:
http://blogs.dirteam.com/blogs/jorge...01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"M C" <abc@def.ghi> wrote in message
news:%23NrMqEOAJHA.3804@TK2MSFTNGP05.phx.gbl...
> Hi ALL,
>
> I'd like to configure the security settings for the computer accounts that
> only allow domain user to join domain (nothing else, including changing
> computer account name,etc.). I tried to create a dummy computer account
> using (Active Directory Users and Computers -> New Computer Wizard) and
> specified a domain user account in the "The following user or group can
> join this computer to a domain". The domain account can join domain but
> also can modify the computer name (Simply change the computer name in the
> Windows client, the computer account will be modified after reboot). Do
> anyone know what is the minimum security settings of the computer account
> object so that the domain account can only have join domain privilege, no
> others, especially change the computer account name?
>
> TIA
>
> M C
>

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads for: "Minimum security settings of computer accounts for allowing domain user account to join domain"
Thread	Thread Starter	Forum	Replies	Last Post
Join computer to domain without domain admins right	Kent	Active Directory	4	09-10-2008 03:08 AM
Transfer computer and user accounts from one domain to another	Christian	Active Directory	4	18-04-2008 06:20 PM
Local Vista User Account using Domain Security Pol?	Noob	Vista Security	4	01-04-2008 07:05 PM
Creating a domain account only used to join computers to a domain	Kevin	Active Directory	6	10-02-2007 01:41 AM
Delegate domain user permission to join domain	Misoft	Active Directory	6	25-04-2005 01:03 PM