Allowing users to *only* add computers to the domain

We have a couple of different levels of IT worker in my environment. For the
most trusted workers who need to add multiple computers to the domain, we
have given them the following rights on the Computers container:
Create/Delete Computer Objects on "This object and all descendant objects"
Full Control on "Descendant Computer objects"
Also, individuals have Full Control of the OUs that they manage. So those
people are able to join computers to the domain even if the computer object
already exists in the Computers container or their own OU.

The problem is that we would like a slightly less trusted group to be able
to add computers to the domain, but not delete them. Ideally they would be
able to do this even if the computer account already exists in the Computers
container or the OU that they help manage. I'm wondering if this would work:
Create Computer Objects on "This object and all descendant objects".
Some sort of special permissions on "Descendant Computer objects" that would
include "Change Password" and some other rights.

Thanks.

"Baboon" <Baboon@discussions.microsoft.com> wrote in message
news:25005068-7C6C-4D24-B561-A751D2F4C0D5@microsoft.com...
> We have a couple of different levels of IT worker in my environment. For
> the
> most trusted workers who need to add multiple computers to the domain, we
> have given them the following rights on the Computers container:
> Create/Delete Computer Objects on "This object and all descendant objects"
> Full Control on "Descendant Computer objects"
> Also, individuals have Full Control of the OUs that they manage. So those
> people are able to join computers to the domain even if the computer
> object
> already exists in the Computers container or their own OU.
>
> The problem is that we would like a slightly less trusted group to be able
> to add computers to the domain, but not delete them. Ideally they would
> be
> able to do this even if the computer account already exists in the
> Computers
> container or the OU that they help manage. I'm wondering if this would
> work:
> Create Computer Objects on "This object and all descendant objects".
> Some sort of special permissions on "Descendant Computer objects" that
> would
> include "Change Password" and some other rights.
>
> Thanks.
>
>


That's kind of tricky. Keep in mind, regular user accounts can join a
computer to a domain, but they can't update an account already installed.
They have the ability to add it to the computers container by default. But
if you need them to overwrite a computer account already installed, they
would need more permissions, that would of course include deleting them.

I would suggest that the less than trusted group does not have the ability
to update existing computer objects and require them to put in a service
request to the group that can either delete the existing object, or have
them join/rejoin the machine to the domain.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Take a look at the article posted by Jorge Pinto regarding delegation at
http://blogs.dirteam.com/blogs/jorge...01/05/369.aspx (section
1).
In essence, waht you can do is to pre-create computer accounts that
subsequently would be joined to the domain by members of the "slightly less
trusted group". The privileges required by this group would be limited to
"Reset Password","Validated write to DNS host name","Validated write to
service principal name", "Account Restrictions"
In addition, you should revoke "Add workstations to domain" from
Authenticated Users group - and grant it to the "most trusted workers" group
instead...

hth
Marcin


"Baboon" <Baboon@discussions.microsoft.com> wrote in message
news:25005068-7C6C-4D24-B561-A751D2F4C0D5@microsoft.com...
> We have a couple of different levels of IT worker in my environment. For
> the
> most trusted workers who need to add multiple computers to the domain, we
> have given them the following rights on the Computers container:
> Create/Delete Computer Objects on "This object and all descendant objects"
> Full Control on "Descendant Computer objects"
> Also, individuals have Full Control of the OUs that they manage. So those
> people are able to join computers to the domain even if the computer
> object
> already exists in the Computers container or their own OU.
>
> The problem is that we would like a slightly less trusted group to be able
> to add computers to the domain, but not delete them. Ideally they would
> be
> able to do this even if the computer account already exists in the
> Computers
> container or the OU that they help manage. I'm wondering if this would
> work:
> Create Computer Objects on "This object and all descendant objects".
> Some sort of special permissions on "Descendant Computer objects" that
> would
> include "Change Password" and some other rights.
>
> Thanks.
>
>

Hello Baboon,

have a look here about the default that normal users are abole to join up
to 10 machines to the domain:
http://support.microsoft.com/kb/243327/en-us

Here is described the needed configuration for joining machines when the
computer name is still existing in the domain:
http://support.microsoft.com/kb/932455

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We have a couple of different levels of IT worker in my environment.
> For the
> most trusted workers who need to add multiple computers to the domain,
> we
> have given them the following rights on the Computers container:
> Create/Delete Computer Objects on "This object and all descendant
> objects"
> Full Control on "Descendant Computer objects"
> Also, individuals have Full Control of the OUs that they manage. So
> those
> people are able to join computers to the domain even if the computer
> object
> already exists in the Computers container or their own OU.
> The problem is that we would like a slightly less trusted group to be
> able
> to add computers to the domain, but not delete them. Ideally they
> would be
> able to do this even if the computer account already exists in the
> Computers
> container or the OU that they help manage. I'm wondering if this
> would work:
> Create Computer Objects on "This object and all descendant objects".
> Some sort of special permissions on "Descendant Computer objects" that
> would
> include "Change Password" and some other rights.
> Thanks.
>

see:
http://blogs.dirteam.com/blogs/jorge...01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Baboon" <Baboon@discussions.microsoft.com> wrote in message
news:25005068-7C6C-4D24-B561-A751D2F4C0D5@microsoft.com...
> We have a couple of different levels of IT worker in my environment. For
> the
> most trusted workers who need to add multiple computers to the domain, we
> have given them the following rights on the Computers container:
> Create/Delete Computer Objects on "This object and all descendant objects"
> Full Control on "Descendant Computer objects"
> Also, individuals have Full Control of the OUs that they manage. So those
> people are able to join computers to the domain even if the computer
> object
> already exists in the Computers container or their own OU.
>
> The problem is that we would like a slightly less trusted group to be able
> to add computers to the domain, but not delete them. Ideally they would
> be
> able to do this even if the computer account already exists in the
> Computers
> container or the OU that they help manage. I'm wondering if this would
> work:
> Create Computer Objects on "This object and all descendant objects".
> Some sort of special permissions on "Descendant Computer objects" that
> would
> include "Change Password" and some other rights.
>
> Thanks.
>
>

Thanks to everyone for the replies.

Your suggestion for requiring a service request to the more trusted group is
what I already had in mind, but I was afraid of resistance. Management is in
agreement, so I don't have to do any further work.

There was one thing that surprised me about this...
For the less trusted group, I added the following access control entry (and
nothing more) to the Computers container:
- Create Computer Objects on "This object and all descendant objects". -
In testing, an account belonging only to that group was successful in adding
a new machine to the domain. This account previously had Account Operator
rights, thus it had almost unlimited rights to join computers and had been
used to add hundreds of computers in the past. Would this ACE have gotten
around the 10 computer limit for users in the group?


"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Baboon" <Baboon@discussions.microsoft.com> wrote in message
> news:25005068-7C6C-4D24-B561-A751D2F4C0D5@microsoft.com...
> > We have a couple of different levels of IT worker in my environment. For
> > the
> > most trusted workers who need to add multiple computers to the domain, we
> > have given them the following rights on the Computers container:
> > Create/Delete Computer Objects on "This object and all descendant objects"
> > Full Control on "Descendant Computer objects"
> > Also, individuals have Full Control of the OUs that they manage. So those
> > people are able to join computers to the domain even if the computer
> > object
> > already exists in the Computers container or their own OU.
> >
> > The problem is that we would like a slightly less trusted group to be able
> > to add computers to the domain, but not delete them. Ideally they would
> > be
> > able to do this even if the computer account already exists in the
> > Computers
> > container or the OU that they help manage. I'm wondering if this would
> > work:
> > Create Computer Objects on "This object and all descendant objects".
> > Some sort of special permissions on "Descendant Computer objects" that
> > would
> > include "Change Password" and some other rights.
> >
> > Thanks.
> >
> >
>
>
> That's kind of tricky. Keep in mind, regular user accounts can join a
> computer to a domain, but they can't update an account already installed.
> They have the ability to add it to the computers container by default. But
> if you need them to overwrite a computer account already installed, they
> would need more permissions, that would of course include deleting them.
>
> I would suggest that the less than trusted group does not have the ability
> to update existing computer objects and require them to put in a service
> request to the group that can either delete the existing object, or have
> them join/rejoin the machine to the domain.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>

"Baboon" <Baboon@discussions.microsoft.com> wrote in message
news:64460E98-4452-42C4-AB33-C5FD051F516A@microsoft.com...
> Thanks to everyone for the replies.
>
> Your suggestion for requiring a service request to the more trusted group
> is
> what I already had in mind, but I was afraid of resistance. Management is
> in
> agreement, so I don't have to do any further work.
>
> There was one thing that surprised me about this...
> For the less trusted group, I added the following access control entry
> (and
> nothing more) to the Computers container:
> - Create Computer Objects on "This object and all descendant objects". -
> In testing, an account belonging only to that group was successful in
> adding
> a new machine to the domain. This account previously had Account Operator
> rights, thus it had almost unlimited rights to join computers and had been
> used to add hundreds of computers in the past. Would this ACE have gotten
> around the 10 computer limit for users in the group?


Good that management is buying into it. That is one big obstacle that needs
to be overcome in many companies, and glad you have them on your side.

As for delegation, yes, that will override the 10 add limit.

Ace