|
View Full Version : Computer accounts in AD
Hi,
1) I know that every user in AD can add upto 10 computer accounts. Is there
any danger in letting this happen or is it best practice to assign a
helpdesk group the ability to add computer accounts??
2) Also other than applying the GPO's to computer accounts, is there any
real reason to organize them into separate OU's?
3) Is there any way in a Windows 2003 domain to allow the computer accounts
being added to be split up and organized into pre-defined OU's?
Thanks.
Sabs.
|
Hello Sabir.
1) This depends of the environment you are in if you self se this as an risk
you should limit this feature. (Users have same rights at an existing
computer in the domain as one they have added self.)
You can how ever change this if you have Windows Server Support Tools
installed located on the Windows Server CD.
1.. Open ADSI Edit.
2.. Right-click on the domainDNS object for the domain you want to change
and select Properties.
3.. Edit the ms-DS-MachineAccountQuota attribute and enter the new quota
value.
4.. Click OK
Or use the follow script.
intQuota =
strDomain = "" ' e.g. chrisse.local
set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objDomain = GetObject("LDAP://" &
objRootDSE.Get("defaultNamingContext"))
objDomain.Put "ms-DS-MachineAccountQuota", intQuota
objDomain.SetInfo
2) Yes for delegation.
3) Yes you can bind another default container for new computer accounts this
can be done with ldp.exe from Windows Server RESKIT and ADSI Scripting so
far I know.
--
Regards
Christoffer Andersson
No email replies please - reply in the newsgroup
"Sabir Ahmedi" skrev i meddelandet
news:evxIzypEEHA.1560@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> 1) I know that every user in AD can add upto 10 computer accounts. Is
there
> any danger in letting this happen or is it best practice to assign a
> helpdesk group the ability to add computer accounts??
>
> 2) Also other than applying the GPO's to computer accounts, is there any
> real reason to organize them into separate OU's?
>
> 3) Is there any way in a Windows 2003 domain to allow the computer
accounts
> being added to be split up and organized into pre-defined OU's?
>
>
> Thanks.
> Sabs.
>
>
|
Here is a script to change the default location for new computers.
' This code changes the default computers container.
' ------ SCRIPT CONFIGURATION ------
strNewComputersParent = "" ' e.g. OU=RAllenCorp
Computers
strDomain = "" ' e.g. rallencorp.com
' ------ END CONFIGURATION ---------
Const COMPUTER_WKGUID = "B:32:AA312825768811D1ADED00C04FD8D5CD:"
' ADS_PROPERTY_OPERATION_ENUM
Const ADS_PROPERTY_APPEND = 3
Const ADS_PROPERTY_DELETE = 4
set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objDomain = GetObject("LDAP://" &
objRootDSE.Get("defaultNamingContext"))
set objCompWK = GetObject("LDAP://" & _
"objRootDSE.Get("defaultNamingContext") & ">")
objDomain.PutEx ADS_PROPERTY_DELETE, "wellKnownObjects", _
Array( COMPUTER_WKGUID & objCompWK.Get("distinguishedName"))
objDomain.PutEx ADS_PROPERTY_APPEND, "wellKnownObjects", _
Array( COMPUTER_WKGUID & strNewComputersParent & "," &
objRootDSE.Get("defaultNamingContext") )
objDomain.SetInfo
WScript.Echo "New default Computers container set to " & _
strNewComputersParent
You can define a location if you use RIS also.
--
Regards
Christoffer Andersson
No email replies please - reply in the newsgroup
"Sabir Ahmedi" skrev i meddelandet
news:evxIzypEEHA.1560@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> 1) I know that every user in AD can add upto 10 computer accounts. Is
there
> any danger in letting this happen or is it best practice to assign a
> helpdesk group the ability to add computer accounts??
>
> 2) Also other than applying the GPO's to computer accounts, is there any
> real reason to organize them into separate OU's?
>
> 3) Is there any way in a Windows 2003 domain to allow the computer
accounts
> being added to be split up and organized into pre-defined OU's?
>
>
> Thanks.
> Sabs.
>
>
|
Chris,
Thanks for the awesome reply.
I still did not understand why it is a bad idea to let users add computer
accounts to the domain.
Also can the script let the computer accounts flow into 2 separate OU's
based on their name.
-Sabir.
"Chriss3" wrote in message
news:eMx2XWqEEHA.1560@TK2MSFTNGP12.phx.gbl...
> Here is a script to change the default location for new computers.
>
> ' This code changes the default computers container.
> ' ------ SCRIPT CONFIGURATION ------
> strNewComputersParent = "" ' e.g. OU=RAllenCorp
> Computers
> strDomain = "" ' e.g. rallencorp.com
> ' ------ END CONFIGURATION ---------
>
> Const COMPUTER_WKGUID = "B:32:AA312825768811D1ADED00C04FD8D5CD:"
> ' ADS_PROPERTY_OPERATION_ENUM
> Const ADS_PROPERTY_APPEND = 3
> Const ADS_PROPERTY_DELETE = 4
>
> set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
> set objDomain = GetObject("LDAP://" &
> objRootDSE.Get("defaultNamingContext"))
> set objCompWK = GetObject("LDAP://" & _
> "> objRootDSE.Get("defaultNamingContext") & ">")
>
> objDomain.PutEx ADS_PROPERTY_DELETE, "wellKnownObjects", _
> Array( COMPUTER_WKGUID &
objCompWK.Get("distinguishedName"))
> objDomain.PutEx ADS_PROPERTY_APPEND, "wellKnownObjects", _
> Array( COMPUTER_WKGUID & strNewComputersParent & "," &
> objRootDSE.Get("defaultNamingContext") )
> objDomain.SetInfo
> WScript.Echo "New default Computers container set to " & _
> strNewComputersParent
>
> You can define a location if you use RIS also.
>
> --
> Regards
> Christoffer Andersson
>
> No email replies please - reply in the newsgroup
>
> "Sabir Ahmedi" skrev i meddelandet
> news:evxIzypEEHA.1560@TK2MSFTNGP12.phx.gbl...
> > Hi,
> >
> > 1) I know that every user in AD can add upto 10 computer accounts. Is
> there
> > any danger in letting this happen or is it best practice to assign a
> > helpdesk group the ability to add computer accounts??
> >
> > 2) Also other than applying the GPO's to computer accounts, is there any
> > real reason to organize them into separate OU's?
> >
> > 3) Is there any way in a Windows 2003 domain to allow the computer
> accounts
> > being added to be split up and organized into pre-defined OU's?
> >
> >
> > Thanks.
> > Sabs.
> >
> >
>
>
|
As I said I don't see that like a bad idea and that's why we have it by
defaults. The Script doesn't let you that. May a schedule task to move
computers after there names in to different OUs can work.
--
Regards
Christoffer Andersson
No email replies please - reply in the newsgroup
"Sabir Ahmedi" skrev i meddelandet
news:Owu116qEEHA.4084@TK2MSFTNGP11.phx.gbl...
> Chris,
> Thanks for the awesome reply.
>
> I still did not understand why it is a bad idea to let users add computer
> accounts to the domain.
>
> Also can the script let the computer accounts flow into 2 separate OU's
> based on their name.
>
> -Sabir.
>
> "Chriss3" wrote in message
> news:eMx2XWqEEHA.1560@TK2MSFTNGP12.phx.gbl...
> > Here is a script to change the default location for new computers.
> >
> > ' This code changes the default computers container.
> > ' ------ SCRIPT CONFIGURATION ------
> > strNewComputersParent = "" ' e.g. OU=RAllenCorp
> > Computers
> > strDomain = "" ' e.g. rallencorp.com
> > ' ------ END CONFIGURATION ---------
> >
> > Const COMPUTER_WKGUID = "B:32:AA312825768811D1ADED00C04FD8D5CD:"
> > ' ADS_PROPERTY_OPERATION_ENUM
> > Const ADS_PROPERTY_APPEND = 3
> > Const ADS_PROPERTY_DELETE = 4
> >
> > set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
> > set objDomain = GetObject("LDAP://" &
> > objRootDSE.Get("defaultNamingContext"))
> > set objCompWK = GetObject("LDAP://" & _
> > "_
> > objRootDSE.Get("defaultNamingContext") & ">")
> >
> > objDomain.PutEx ADS_PROPERTY_DELETE, "wellKnownObjects", _
> > Array( COMPUTER_WKGUID &
> objCompWK.Get("distinguishedName"))
> > objDomain.PutEx ADS_PROPERTY_APPEND, "wellKnownObjects", _
> > Array( COMPUTER_WKGUID & strNewComputersParent & "," &
> > objRootDSE.Get("defaultNamingContext") )
> > objDomain.SetInfo
> > WScript.Echo "New default Computers container set to " & _
> > strNewComputersParent
> >
> > You can define a location if you use RIS also.
> >
> > --
> > Regards
> > Christoffer Andersson
> >
> > No email replies please - reply in the newsgroup
> >
> > "Sabir Ahmedi" skrev i meddelandet
> > news:evxIzypEEHA.1560@TK2MSFTNGP12.phx.gbl...
> > > Hi,
> > >
> > > 1) I know that every user in AD can add upto 10 computer accounts. Is
> > there
> > > any danger in letting this happen or is it best practice to assign a
> > > helpdesk group the ability to add computer accounts??
> > >
> > > 2) Also other than applying the GPO's to computer accounts, is there
any
> > > real reason to organize them into separate OU's?
> > >
> > > 3) Is there any way in a Windows 2003 domain to allow the computer
> > accounts
> > > being added to be split up and organized into pre-defined OU's?
> > >
> > >
> > > Thanks.
> > > Sabs.
> > >
> > >
> >
> >
>
>
|
Thanks again Chris.
"Chriss3" wrote in message
news:%233QPDNrEEHA.2976@TK2MSFTNGP12.phx.gbl...
> As I said I don't see that like a bad idea and that's why we have it by
> defaults. The Script doesn't let you that. May a schedule task to move
> computers after there names in to different OUs can work.
>
> --
> Regards
> Christoffer Andersson
>
> No email replies please - reply in the newsgroup
>
> "Sabir Ahmedi" skrev i meddelandet
> news:Owu116qEEHA.4084@TK2MSFTNGP11.phx.gbl...
> > Chris,
> > Thanks for the awesome reply.
> >
> > I still did not understand why it is a bad idea to let users add
computer
> > accounts to the domain.
> >
> > Also can the script let the computer accounts flow into 2 separate OU's
> > based on their name.
> >
> > -Sabir.
> >
> > "Chriss3" wrote in message
> > news:eMx2XWqEEHA.1560@TK2MSFTNGP12.phx.gbl...
> > > Here is a script to change the default location for new computers.
> > >
> > > ' This code changes the default computers container.
> > > ' ------ SCRIPT CONFIGURATION ------
> > > strNewComputersParent = "" ' e.g. OU=RAllenCorp
> > > Computers
> > > strDomain = "" ' e.g. rallencorp.com
> > > ' ------ END CONFIGURATION ---------
> > >
> > > Const COMPUTER_WKGUID = "B:32:AA312825768811D1ADED00C04FD8D5CD:"
> > > ' ADS_PROPERTY_OPERATION_ENUM
> > > Const ADS_PROPERTY_APPEND = 3
> > > Const ADS_PROPERTY_DELETE = 4
> > >
> > > set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
> > > set objDomain = GetObject("LDAP://" &
> > > objRootDSE.Get("defaultNamingContext"))
> > > set objCompWK = GetObject("LDAP://" & _
> > > "&
> _
> > > objRootDSE.Get("defaultNamingContext") &
">")
> > >
> > > objDomain.PutEx ADS_PROPERTY_DELETE, "wellKnownObjects", _
> > > Array( COMPUTER_WKGUID &
> > objCompWK.Get("distinguishedName"))
> > > objDomain.PutEx ADS_PROPERTY_APPEND, "wellKnownObjects", _
> > > Array( COMPUTER_WKGUID & strNewComputersParent & "," &
> > > objRootDSE.Get("defaultNamingContext") )
> > > objDomain.SetInfo
> > > WScript.Echo "New default Computers container set to " & _
> > > strNewComputersParent
> > >
> > > You can define a location if you use RIS also.
> > >
> > > --
> > > Regards
> > > Christoffer Andersson
> > >
> > > No email replies please - reply in the newsgroup
> > >
> > > "Sabir Ahmedi" skrev i meddelandet
> > > news:evxIzypEEHA.1560@TK2MSFTNGP12.phx.gbl...
> > > > Hi,
> > > >
> > > > 1) I know that every user in AD can add upto 10 computer accounts.
Is
> > > there
> > > > any danger in letting this happen or is it best practice to assign a
> > > > helpdesk group the ability to add computer accounts??
> > > >
> > > > 2) Also other than applying the GPO's to computer accounts, is there
> any
> > > > real reason to organize them into separate OU's?
> > > >
> > > > 3) Is there any way in a Windows 2003 domain to allow the computer
> > > accounts
> > > > being added to be split up and organized into pre-defined OU's?
> > > >
> > > >
> > > > Thanks.
> > > > Sabs.
> > > >
> > > >
> > >
> > >
> >
> >
>
>
|
Sabir,
It can be an issue from a security standpoint. Allowing users to introduce
any machine to your domain can pose a major risk if the machine has malware
on it.
--
--
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us
Http://www.briandesmond.com
"Sabir Ahmedi" wrote in message
news:Owu116qEEHA.4084@TK2MSFTNGP11.phx.gbl...
> Chris,
> Thanks for the awesome reply.
>
> I still did not understand why it is a bad idea to let users add computer
> accounts to the domain.
>
> Also can the script let the computer accounts flow into 2 separate OU's
> based on their name.
>
> -Sabir.
>
> "Chriss3" wrote in message
> news:eMx2XWqEEHA.1560@TK2MSFTNGP12.phx.gbl...
> > Here is a script to change the default location for new computers.
> >
> > ' This code changes the default computers container.
> > ' ------ SCRIPT CONFIGURATION ------
> > strNewComputersParent = "" ' e.g. OU=RAllenCorp
> > Computers
> > strDomain = "" ' e.g. rallencorp.com
> > ' ------ END CONFIGURATION ---------
> >
> > Const COMPUTER_WKGUID = "B:32:AA312825768811D1ADED00C04FD8D5CD:"
> > ' ADS_PROPERTY_OPERATION_ENUM
> > Const ADS_PROPERTY_APPEND = 3
> > Const ADS_PROPERTY_DELETE = 4
> >
> > set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
> > set objDomain = GetObject("LDAP://" &
> > objRootDSE.Get("defaultNamingContext"))
> > set objCompWK = GetObject("LDAP://" & _
> > "_
> > objRootDSE.Get("defaultNamingContext") & ">")
> >
> > objDomain.PutEx ADS_PROPERTY_DELETE, "wellKnownObjects", _
> > Array( COMPUTER_WKGUID &
> objCompWK.Get("distinguishedName"))
> > objDomain.PutEx ADS_PROPERTY_APPEND, "wellKnownObjects", _
> > Array( COMPUTER_WKGUID & strNewComputersParent & "," &
> > objRootDSE.Get("defaultNamingContext") )
> > objDomain.SetInfo
> > WScript.Echo "New default Computers container set to " & _
> > strNewComputersParent
> >
> > You can define a location if you use RIS also.
> >
> > --
> > Regards
> > Christoffer Andersson
> >
> > No email replies please - reply in the newsgroup
> >
> > "Sabir Ahmedi" skrev i meddelandet
> > news:evxIzypEEHA.1560@TK2MSFTNGP12.phx.gbl...
> > > Hi,
> > >
> > > 1) I know that every user in AD can add upto 10 computer accounts. Is
> > there
> > > any danger in letting this happen or is it best practice to assign a
> > > helpdesk group the ability to add computer accounts??
> > >
> > > 2) Also other than applying the GPO's to computer accounts, is there
any
> > > real reason to organize them into separate OU's?
> > >
> > > 3) Is there any way in a Windows 2003 domain to allow the computer
> > accounts
> > > being added to be split up and organized into pre-defined OU's?
> > >
> > >
> > > Thanks.
> > > Sabs.
> > >
> > >
> >
> >
>
>
|
|
|
|