Active Directory Machine Account Permissions

J

Jay Armstrong

I am creating computer accounts from a web interface and need to set the
group that has the rights to join the computer to the domain (by default it
is Domain Admins).

I can create the accounts, and join them as a domain admin. The problem
arises when the local administrators who have been delagated control to thier
OU try to join the computer to the domain. They are recieveing an Account
Exists error.

This all works on my test domain with an account I have set up there, but
fails on the live domain.

I want to explicity assign Full Control of the computer account object to
the local admins group for the OU to see if this will fix the problem.

I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method but
can't find any documentation on it. (is it part of asp 2.0?)

Any help is appreciated,

Jay

Here is my creation code:

// Create the new Object
DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
SchemaName);

// Create Computer Account
NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
NewComputer.Properties["description"].Add(MachDesc);
NewComputer.Properties["userAccountControl"].Add(AccountControl);

// Save Computer Account
NewComputer.CommitChanges();

// Create routine to set group able to add the computer to the domain
// as the Designated OU Global Group
<!-- here is where I am having the problem -->

NewComputer.Close();
 
J

Joe Kaplan \(MVP - ADSI\)

Did you find a solution for this? I didn't see a reply.

To modify the security descriptor in .NET 1.1, you need to do COM Interop
with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs in
MSDN.

The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you want
to use the beta or CTP though. :)

Joe K.
 
J

Jay Armstrong

Joe,

Thanks for the feedback. Unfortunately I cannot run 2.0 on my production
servers, so I will have to wait for the AD security code.

We tracked it down to a rights assignment not taking. After removing the
delegation and recreating it, the remote admins could join the machines to
the domain.

We would still like to explicitly assign the rights to the groups, but I
(still) can't find the examples you mention in the MSDN. Do you have a link?

Jay

Joe Kaplan (MVP - ADSI) said:
Did you find a solution for this? I didn't see a reply.

To modify the security descriptor in .NET 1.1, you need to do COM Interop
with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs in
MSDN.

The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you want
to use the beta or CTP though. :)

Joe K.

Jay Armstrong said:
I am creating computer accounts from a web interface and need to set the
group that has the rights to join the computer to the domain (by default
it
is Domain Admins).

I can create the accounts, and join them as a domain admin. The problem
arises when the local administrators who have been delagated control to
thier
OU try to join the computer to the domain. They are recieveing an Account
Exists error.

This all works on my test domain with an account I have set up there, but
fails on the live domain.

I want to explicity assign Full Control of the computer account object to
the local admins group for the OU to see if this will fix the problem.

I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
but
can't find any documentation on it. (is it part of asp 2.0?)

Any help is appreciated,

Jay

Here is my creation code:

// Create the new Object
DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
SchemaName);

// Create Computer Account
NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
NewComputer.Properties["description"].Add(MachDesc);
NewComputer.Properties["userAccountControl"].Add(AccountControl);

// Save Computer Account
NewComputer.CommitChanges();

// Create routine to set group able to add the computer to the domain
// as the Designated OU Global Group
<!-- here is where I am having the problem -->

NewComputer.Close();
 
J

Joe Kaplan \(MVP - ADSI\)

This is the only SDS-specific sample:

http://msdn.microsoft.com/library/d...urity_descriptor_property_type.asp?frame=true

The real body of the security stuff is in the AD SDK. You essentially need
to translate those from ADSI to SDS, but they are essentially the same.
They start here (probably read the whole thing twice :)):

http://msdn.microsoft.com/library/d...ss_to_active_directory_objects.asp?frame=true

Generally, I try to avoid doing this stuff in code as much as possible as it
kind of sucks. However, when forced to do it, I generally try making the
changes in the UI first, dump out the resulting SD in code, then try to make
the same changes in code to get it working. If you need to play with the
inheritance settings, you need to mess with the flags (the "protected" flag
specifically) on the Control member on the SD.

Best of luck. I'm sure you'll get this working eventually.

Joe K.

Jay Armstrong said:
Joe,

Thanks for the feedback. Unfortunately I cannot run 2.0 on my production
servers, so I will have to wait for the AD security code.

We tracked it down to a rights assignment not taking. After removing the
delegation and recreating it, the remote admins could join the machines to
the domain.

We would still like to explicitly assign the rights to the groups, but I
(still) can't find the examples you mention in the MSDN. Do you have a
link?

Jay

Joe Kaplan (MVP - ADSI) said:
Did you find a solution for this? I didn't see a reply.

To modify the security descriptor in .NET 1.1, you need to do COM Interop
with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs
in
MSDN.

The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you
want
to use the beta or CTP though. :)

Joe K.

Jay Armstrong said:
I am creating computer accounts from a web interface and need to set the
group that has the rights to join the computer to the domain (by
default
it
is Domain Admins).

I can create the accounts, and join them as a domain admin. The problem
arises when the local administrators who have been delagated control to
thier
OU try to join the computer to the domain. They are recieveing an
Account
Exists error.

This all works on my test domain with an account I have set up there,
but
fails on the live domain.

I want to explicity assign Full Control of the computer account object
to
the local admins group for the OU to see if this will fix the problem.

I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
but
can't find any documentation on it. (is it part of asp 2.0?)

Any help is appreciated,

Jay

Here is my creation code:

// Create the new Object
DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" +
MachineName,
SchemaName);

// Create Computer Account
NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
NewComputer.Properties["description"].Add(MachDesc);
NewComputer.Properties["userAccountControl"].Add(AccountControl);

// Save Computer Account
NewComputer.CommitChanges();

// Create routine to set group able to add the computer to the domain
// as the Designated OU Global Group
<!-- here is where I am having the problem -->

NewComputer.Close();
 
J

Jay Armstrong

That looks like it will do it! Thanks. Good to know there are people like you
out there to help.

I've done some of this in vbscript, but C# and .NET are new animals to me. I
can get an ASP.NET website up and running, but the advanced stuff is still up
the learning curve.

I have some reading to do.

Jay

Joe Kaplan (MVP - ADSI) said:
This is the only SDS-specific sample:

http://msdn.microsoft.com/library/d...urity_descriptor_property_type.asp?frame=true

The real body of the security stuff is in the AD SDK. You essentially need
to translate those from ADSI to SDS, but they are essentially the same.
They start here (probably read the whole thing twice :)):

http://msdn.microsoft.com/library/d...ss_to_active_directory_objects.asp?frame=true

Generally, I try to avoid doing this stuff in code as much as possible as it
kind of sucks. However, when forced to do it, I generally try making the
changes in the UI first, dump out the resulting SD in code, then try to make
the same changes in code to get it working. If you need to play with the
inheritance settings, you need to mess with the flags (the "protected" flag
specifically) on the Control member on the SD.

Best of luck. I'm sure you'll get this working eventually.

Joe K.

Jay Armstrong said:
Joe,

Thanks for the feedback. Unfortunately I cannot run 2.0 on my production
servers, so I will have to wait for the AD security code.

We tracked it down to a rights assignment not taking. After removing the
delegation and recreating it, the remote admins could join the machines to
the domain.

We would still like to explicitly assign the rights to the groups, but I
(still) can't find the examples you mention in the MSDN. Do you have a
link?

Jay

Joe Kaplan (MVP - ADSI) said:
Did you find a solution for this? I didn't see a reply.

To modify the security descriptor in .NET 1.1, you need to do COM Interop
with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs
in
MSDN.

The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you
want
to use the beta or CTP though. :)

Joe K.

I am creating computer accounts from a web interface and need to set the
group that has the rights to join the computer to the domain (by
default
it
is Domain Admins).

I can create the accounts, and join them as a domain admin. The problem
arises when the local administrators who have been delagated control to
thier
OU try to join the computer to the domain. They are recieveing an
Account
Exists error.

This all works on my test domain with an account I have set up there,
but
fails on the live domain.

I want to explicity assign Full Control of the computer account object
to
the local admins group for the OU to see if this will fix the problem.

I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
but
can't find any documentation on it. (is it part of asp 2.0?)

Any help is appreciated,

Jay

Here is my creation code:

// Create the new Object
DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" +
MachineName,
SchemaName);

// Create Computer Account
NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
NewComputer.Properties["description"].Add(MachDesc);
NewComputer.Properties["userAccountControl"].Add(AccountControl);

// Save Computer Account
NewComputer.CommitChanges();

// Create routine to set group able to add the computer to the domain
// as the Designated OU Global Group
<!-- here is where I am having the problem -->

NewComputer.Close();
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,994
Messages
2,570,223
Members
46,813
Latest member
lawrwtwinkle111

Latest Threads

Top