I am creating objects in Active Directory using an LDAP connection. Once the object is created I want only certain users to be able to join each particular object to the domain. Meaning that just because you have rights to join the domain you can't join a specific object unless you have been given permission that object. I am wondering if there is a way to populate an attribute on the computer account to allow for this. Essentially, I am looking for the setting that is populated when using Active Directory Users and Computers and you utilize: "The following group or user can join this computer to a domain." Any help would be greatly appreciated.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Prepopulating Domain Joining Attribute
- Thread starter Signit
- Start date
To have a particular particular user only be allowed to join specific Pc's to the domain, those objects must have already be created in active directory... that's kinda defeating that purpose.
You can configure specific users the right to join computers to the domain in group policy. Don't attempt to get specific on what objects they can join unless you are willing to create the computer accounts beforehand (joining the domain requires a computer account exist or have already been created an permissions for creating computer accounts are seperate).
Open active directory and Users and computers, right click on your domain controllers container and select properties, select the group policy tab, pick the policy you wish to edit (default domain controllers group policy), look under computer configuration\windows settings\security settings\local policies\user rights assignments\"add workstations to domain"
If you fail to give these users the right to create objects in the computers container, you will have to manually create the computer accounts ahead of time... but once created, anyone who has permissions to join the workstation to the domain can add that computer.
Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA
You can configure specific users the right to join computers to the domain in group policy. Don't attempt to get specific on what objects they can join unless you are willing to create the computer accounts beforehand (joining the domain requires a computer account exist or have already been created an permissions for creating computer accounts are seperate).
Open active directory and Users and computers, right click on your domain controllers container and select properties, select the group policy tab, pick the policy you wish to edit (default domain controllers group policy), look under computer configuration\windows settings\security settings\local policies\user rights assignments\"add workstations to domain"
If you fail to give these users the right to create objects in the computers container, you will have to manually create the computer accounts ahead of time... but once created, anyone who has permissions to join the workstation to the domain can add that computer.
Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA
- Thread starter
- #3
I will be creating the objects prior to them being joined to the domain from through an LDAP interface. This will allow our organization to bypass the computers OU creating objects in their appropriate OU from the outset. I would like to limit the ability of joining these objects once created to users within their appropriate support unit. For example a computer account created in support unit 1's OU could only be joined to the domain by a user in support unit 1. Would that be managed on the Container for each support unit?Seaspray0 said:
- Status
Similar threads
