Allow users to change Description attribute for computer account

Discussion in 'Security Software' started by rickb, Jul 11, 2005.

  1. rickb

    rickb Guest

    Windows 2003 AD.

    All computer names are similar and are incremented by number 0001-9999.

    I found a script on technet from the scripting guys. Script works fine for
    me (I'm a domain admin), but fails for other users. The second part to the
    article was to give the users permissions to change the Description
    attribute. I don't necessarily want to give them the keys to the kingdom to
    accomplish this. Is this the group policy that allows the user to join the
    domain? can anyone shed some light?

    here's a link to the article:
    http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0429.mspx
     
    rickb, Jul 11, 2005
    #1
    1. Advertisements

  2. By default a regular user can join a computer to the domain up to ten times.
    You can permanently give a user the ability to join computers to the domain
    by giving a users group create computer objects permission on the domain or
    computers container. This is called delegation of authority. You can right
    click the domain or a container and select delegate control to start the
    delegation wizard which has preset categories or you can create custom ones.
    The delegation wizard simply changes AD permissions on the object. You also
    for instance could select a container, right click
    properties/security/advanced and then add or edit permissions. Then select
    apply onto computer object and look for the needed permissions in the object
    or properties tab. I believe read/write description is in the properties
    tab. --- Steve
     
    Steven L Umbach, Jul 12, 2005
    #2
    1. Advertisements

  3. rickb

    rickb Guest

    Awesome. I guess I should have mentioned that I'm running Windows 2003 sp1.
    So, there's an option when you right click to delegate control. In my test
    lab, I granted Domain Users the authority to read/write descriptions on
    Computer objects only. But I am under the assumption that it isn't the
    greatest idea to use Built-in groups for delegation. I can easily create a
    new group and throw all users in it and go about it that way.

    How do you remove delegation if you decide it isn't working correctly or you
    used an incorrect group?
    -Rick
     
    rickb, Jul 12, 2005
    #3
  4. That is more difficult. There is no wizard to "undo" delegation of
    authority. You would have to manually change the permissions on the AD
    object. It may help to computer permissions to a container/OU that has not
    had its default permissions changed. The command line tool dsacls can be
    used to restrore default permissions to an object. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 --- Dsacls.
    Works same for W2003.
     
    Steven L Umbach, Jul 12, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.