| Author | Messages | |
henrikpettersson
Posts:3
 | | 10/25/2007 6:33 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
st1\:*{behavior:url(#default#ieooui) }
This users, why should
they have access to servers?? Or do they join computers via any tools??
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM AB (publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] För peter.t.johnson@accenture.com
Skickat: den 24 oktober 2007 15:13
Till: ActiveDir@mail.activedir.org
Ämne: RE: [ActiveDir] Adding
Servers to AD
I would do this with
powershell. Much easier and a concrete reason to learn the new tech.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 15:08
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding
Servers to AD
Thats what I
am working on now. Does anyone have a sample VBscript to search for server 2003
computers and disable. I will edit to only search some OU's.
----- Original
Message ----
From: "peter.t.johnson@accenture.com"
To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 24, 2007 8:43:04 AM
Subject: RE: [ActiveDir] Adding Servers to AD
Not as far as I know. At
least not with native tools as the system doesnʼt differentiate between Servers
and workstations at this level. You might be able to come up with a script that
runs on a schedule and confirms that a machine in the OU is a server and then
disable its account and wait for the screaming. You would be able to do this
with WMI.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding
Servers to AD
Win2k3 AD in
native mode.
Have delegated control to several users in remote sites to be able to add
computer objects to the domain. Is there a way to prevent these users from
adding servers to the domain. We want them to only be able to add workstations.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have received
it in error, please notify the sender immediately and delete the original. Any
other use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have received
it in error, please notify the sender immediately and delete the original. Any
other use of the email by you is prohibited. | | | |
| vithal
Posts:8
| | 10/25/2007 6:06 AM |
| Return Receipt
Your document:
RE: SV: [ActiveDir] Adding Servers to AD
was received by:
Srini Koka/New York/Contr/IBM
at:
10/25/2007 18:05:26 | | | |
| mck1012
Posts:40
| | 10/25/2007 7:42 AM |
| Some user have rights to add computer objects to the domain. They are only suppose to be adding their local computers but there is nothing stopping them from adding a server. Say if they install 2k3 server on a laptop or buy a server without the corp office knowing. We have a network with over 100,000 users and about 100 sites so we want to prevent the remote users from doing this. It does not happen often but we dont want to take a chance.----- Original Message ----From: Pettersson Henrik To: ActiveDir@mail.activedir.orgSent: Thursday, October 25, 2007 6:33:45
AMSubject: SV: [ActiveDir] Adding Servers to AD
This users, why should
they have access to servers?? Or do they join computers via any tools??
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM AB (publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] För peter.t.johnson@accenture.com
Skickat: den 24 oktober 2007 15:13
Till: ActiveDir@mail.activedir.org
Ämne: RE: [ActiveDir] Adding
Servers to AD
I would do this with
powershell. Much easier and a concrete reason to learn the new tech.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 15:08
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding
Servers to AD
Thats what I
am working on now. Does anyone have a sample VBscript to search for server 2003
computers and disable. I will edit to only search some OU's.
----- Original
Message ----
From: "peter.t.johnson@accenture.com"
To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 24, 2007 8:43:04 AM
Subject: RE: [ActiveDir] Adding Servers to AD
Not as far as I know. At
least not with native tools as the system doesnʼt differentiate between Servers
and workstations at this level. You might be able to come up with a script that
runs on a schedule and confirms that a machine in the OU is a server and then
disable its account and wait for the screaming. You would be able to do this
with WMI.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding
Servers to AD
Win2k3 AD in
native mode.
Have delegated control to several users in remote sites to be able to add
computer objects to the domain. Is there a way to prevent these users from
adding servers to the domain. We want them to only be able to add workstations.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have received
it in error, please notify the sender immediately and delete the original. Any
other use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have received
it in error, please notify the sender immediately and delete the original. Any
other use of the email by you is prohibited.
__________________________________________________Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com | | | |
| MThommes
Posts:74
| | 10/25/2007 7:51 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
st1\:*{behavior:url(#default#ieooui) }
I think what
Henrik is asking is how are these users able to logon to a server to do the
join? Servers are not normally accessible for logon by all users. While
your group might have the ability to create a computer account in AD for a
server/workstation, only someone with local admin authority on the server can
do the join. I had the same question in my mind when I saw your question
originally.
Mike Thommes
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: Thursday, October 25, 2007
6:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: SV: [ActiveDir]
Adding Servers to AD
Some user have rights to
add computer objects to the domain. They are only suppose to be adding their
local computers but there is nothing stopping them from adding a server.
Say if they install 2k3 server on a laptop or buy a server without the
corp office knowing. We have a network with over 100,000 users and about 100
sites so we want to prevent the remote users from doing this. It does not
happen often but we dont want to take a chance.
----- Original Message
----
From: Pettersson Henrik
To: ActiveDir@mail.activedir.org
Sent: Thursday, October 25, 2007 6:33:45 AM
Subject: SV: [ActiveDir] Adding Servers to AD
This users, why should
they have access to servers?? Or do they join computers via any tools??
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM AB (publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] För peter.t.johnson@accenture.com
Skickat: den 24 oktober 2007 15:13
Till: ActiveDir@mail.activedir.org
Ämne: RE: [ActiveDir] Adding
Servers to AD
I would do this with powershell. Much
easier and a concrete reason to learn the new tech.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 15:08
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding
Servers to AD
Thats what I am working
on now. Does anyone have a sample VBscript to search for server 2003 computers
and disable. I will edit to only search some OU's.
----- Original Message
----
From: "peter.t.johnson@accenture.com"
To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 24, 2007 8:43:04 AM
Subject: RE: [ActiveDir] Adding Servers to AD
Not as far as I know. At least not with
native tools as the system doesnʼt differentiate between Servers and
workstations at this level. You might be able to come up with a script that
runs on a schedule and confirms that a machine in the OU is a server and then
disable its account and wait for the screaming. You would be able to do this
with WMI.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding
Servers to AD
Win2k3 AD in native mode.
Have delegated control to several users in remote sites to be able to add
computer objects to the domain. Is there a way to prevent these users from
adding servers to the domain. We want them to only be able to add workstations.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com | | | |
| mck1012
Posts:40
| | 10/25/2007 8:01 AM |
| These are servers they are installing. Anyone can install server create their own local admin account and if they have the rights to join a computer object to the domain they can join that server to the domain.----- Original Message ----From: "Thommes, Michael M." To: ActiveDir@mail.activedir.orgSent: Thursday, October 25, 2007 7:51:52 AMSubject: RE: SV: [ActiveDir] Adding Servers to AD
I think what
Henrik is asking is how are these users able to logon to a server to do the
join? Servers are not normally accessible for logon by all users. While
your group might have the ability to create a computer account in AD for a
server/workstation, only someone with local admin authority on the server can
do the join. I had the same question in my mind when I saw your question
originally.
Mike Thommes
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: Thursday, October 25, 2007
6:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: SV: [ActiveDir]
Adding Servers to AD
Some user have rights to
add computer objects to the domain. They are only suppose to be adding their
local computers but there is nothing stopping them from adding a server.
Say if they install 2k3 server on a laptop or buy a server without the
corp office knowing. We have a network with over 100,000 users and about 100
sites so we want to prevent the remote users from doing this. It does not
happen often but we dont want to take a chance.
----- Original Message
----
From: Pettersson Henrik
To: ActiveDir@mail.activedir.org
Sent: Thursday, October 25, 2007 6:33:45 AM
Subject: SV: [ActiveDir] Adding Servers to AD
This users, why should
they have access to servers?? Or do they join computers via any tools??
Henrik Pettersson
IT-tekniker
PREEM
PETROLEUM AB (publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] För peter.t.johnson@accenture.com
Skickat: den 24 oktober 2007 15:13
Till: ActiveDir@mail.activedir.org
Ämne: RE: [ActiveDir] Adding
Servers to AD
I would do this with powershell. Much
easier and a concrete reason to learn the new tech.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 15:08
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding
Servers to AD
Thats what I am working
on now. Does anyone have a sample VBscript to search for server 2003 computers
and disable. I will edit to only search some OU's.
----- Original Message
----
From: "peter.t.johnson@accenture.com"
To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 24, 2007 8:43:04 AM
Subject: RE: [ActiveDir] Adding Servers to AD
Not as far as I know. At least not with
native tools as the system doesnʼt differentiate between Servers and
workstations at this level. You might be able to come up with a script that
runs on a schedule and confirms that a machine in the OU is a server and then
disable its account and wait for the screaming. You would be able to do this
with WMI.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding
Servers to AD
Win2k3 AD in native mode.
Have delegated control to several users in remote sites to be able to add
computer objects to the domain. Is there a way to prevent these users from
adding servers to the domain. We want them to only be able to add workstations.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
__________________________________________________Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com | | | |
| austin
Posts:8
| | 10/25/2007 8:23 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Easiest way is to insist the addition of machines to your Domain
is an Administrative task which you delegate to trusted individuals and set the
domain ms-DS-MachineAccountQuota attribute to 0.
This Way, you have more centralised control.
If you insist any “normal user” can join machines to a Domain
then you have to review the options suggested by JR. They will be able to join
any machine to the domain and you’ll have to do a sweep to clean inappropriate
machines.
Regards,
Austin
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 25 October 2007 12:43
To: ActiveDir@mail.activedir.org
Subject: Re: SV: [ActiveDir] Adding Servers to AD
Some user have rights to add
computer objects to the domain. They are only suppose to be adding their local
computers but there is nothing stopping them from adding a server. Say if
they install 2k3 server on a laptop or buy a server without the corp
office knowing. We have a network with over 100,000 users and about 100 sites
so we want to prevent the remote users from doing this. It does not happen
often but we dont want to take a chance.
----- Original Message ----
From: Pettersson Henrik
To: ActiveDir@mail.activedir.org
Sent: Thursday, October 25, 2007 6:33:45 AM
Subject: SV: [ActiveDir] Adding Servers to AD
This users, why should they have access to servers?? Or do they
join computers via any tools??
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM AB (publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] För
peter.t.johnson@accenture.com
Skickat: den 24 oktober 2007 15:13
Till: ActiveDir@mail.activedir.org
Ämne: RE: [ActiveDir] Adding Servers to AD
I would do this with powershell. Much easier and a concrete reason
to learn the new tech.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 15:08
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding Servers to AD
Thats what I
am working on now. Does anyone have a sample VBscript to search for server 2003
computers and disable. I will edit to only search some OU's.
----- Original
Message ----
From: "peter.t.johnson@accenture.com"
To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 24, 2007 8:43:04 AM
Subject: RE: [ActiveDir] Adding Servers to AD
Not as far as I know. At least not with native tools as the system
doesnʼt differentiate between Servers and workstations at this level. You might
be able to come up with a script that runs on a schedule and confirms that a
machine in the OU is a server and then disable its account and wait for the
screaming. You would be able to do this with WMI.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding Servers to AD
Win2k3 AD in
native mode.
Have delegated control to several users in remote sites to be able to add
computer objects to the domain. Is there a way to prevent these users from adding
servers to the domain. We want them to only be able to add workstations.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message may contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a digitally signed version. | | | |
| davewade
Posts:44
| | 10/25/2007 9:37 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
st1\:*{behavior:url(#default#ieooui) }
If you install windows on the computeryou know
the password to the local administrator account, which allows them access to the
machine with enough rights to join it to the domain from the machine
itself.
I assume these people are administrators of the
local desktops. If the joina server to the domain and it ends up in the
same OU as the desktops, they will , WMI filters permitting, end up with full
admin rights on the servers. As others have said the trick is to make sure its
not in the same OU.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Pettersson
HenrikSent: 25 October 2007 13:54To:
ActiveDir@mail.activedir.orgSubject: SV: SV: [ActiveDir] Adding
Servers to AD
”
I
think what Henrik is asking is how are these users able to logon to a server
to do the join? Servers are not normally accessible for logon by
all users. While your group might have the ability to create a
computer account in AD for a server/workstation, only someone with local admin
authority on the server can do the join. I had the same question in my
mind when I saw your question originally.
Mike
Thommes”
Japp….that’s
correct, that’s what I wondered. The easiest way to do this…in my opinion (if
you want a special group to join computers/servers to AD) is to create groups
based on WMI-filters.
Henrik
Pettersson
IT-tekniker
PREEM PETROLEUM
AB (publ)
556072-6977
IT-Drift
Tfn nr: +46
(0)8670 30 86Mobil nr: +46
(0)70 450 19 03Fax nr: +46 (0)10
450 19 88E-mail:
henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
För Thommes, Michael
M.Skickat: den 25 oktober
2007 13:52Till:
ActiveDir@mail.activedir.orgÄmne: RE: SV: [ActiveDir] Adding Servers
to AD
I think
what Henrik is asking is how are these users able to logon to a server to do
the join? Servers are not normally accessible for logon by all
users. While your group might have the ability to create a computer
account in AD for a server/workstation, only someone with local admin
authority on the server can do the join. I had the same question in my
mind when I saw your question originally.
Mike
Thommes
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of mck1012Sent: Thursday, October 25, 2007 6:43
AMTo:
ActiveDir@mail.activedir.orgSubject: Re: SV: [ActiveDir] Adding
Servers to AD
Some user have rights to add
computer objects to the domain. They are only suppose to be adding their local
computers but there is nothing stopping them from adding a server. Say
if they install 2k3 server on a laptop or buy a server without the corp
office knowing. We have a network with over 100,000 users and about 100 sites
so we want to prevent the remote users from doing this. It does not happen
often but we dont want to take a chance.
----- Original Message
----From: Pettersson Henrik
To:
ActiveDir@mail.activedir.orgSent: Thursday, October 25, 2007 6:33:45
AMSubject: SV: [ActiveDir] Adding Servers to
AD
This users, why
should they have access to servers?? Or do they join computers via any
tools??
Henrik
Pettersson
IT-tekniker
PREEM
PETROLEUM AB (publ)
556072-6977
IT-Drift
Tfn nr: +46
(0)8670 30 86Mobil nr: +46
(0)70 450 19 03Fax nr: +46 (0)10
450 19 88E-mail:
henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
För
peter.t.johnson@accenture.comSkickat: den 24 oktober 2007
15:13Till:
ActiveDir@mail.activedir.orgÄmne: RE: [ActiveDir] Adding Servers to
AD
I would do this with
powershell. Much easier and a concrete reason to learn the new
tech.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of mck1012Sent: 24 October 2007 15:08To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Adding Servers
to AD
Thats what I am working on
now. Does anyone have a sample VBscript to search for server 2003 computers
and disable. I will edit to only search some
OU's.
----- Original Message
----From: "peter.t.johnson@accenture.com"
To:
ActiveDir@mail.activedir.orgSent: Wednesday, October 24, 2007 8:43:04
AMSubject: RE: [ActiveDir] Adding Servers to
AD
Not as far as I know.
At least not with native tools as the system doesnʼt differentiate between
Servers and workstations at this level. You might be able to come up with a
script that runs on a schedule and confirms that a machine in the OU is a
server and then disable its account and wait for the screaming. You would be
able to do this with WMI.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of mck1012Sent: 24 October 2007 13:03To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Adding Servers to
AD
Win2k3 AD in native
mode.Have delegated control to several users in remote sites to be
able to add computer objects to the domain. Is there a way to prevent these
users from adding servers to the domain. We want them to only be able to add
workstations.
__________________________________________________Do
You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message is for the designated
recipient only and may contain privileged, proprietary, or otherwise private
information. If you have received it in error, please notify the sender
immediately and delete the original. Any other use of the email by you is
prohibited.
__________________________________________________Do
You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message is for the designated
recipient only and may contain privileged, proprietary, or otherwise private
information. If you have received it in error, please notify the sender
immediately and delete the original. Any other use of the email by you is
prohibited.
__________________________________________________Do
You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
********************************************************************** | | | |
| austin
Posts:8
| | 10/25/2007 9:42 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
I wonder where the idea that “Servers are not normally accessible for logon by all
users” comes from!
If you have an account on a “workgroup” server you can logon to
it locally by default. You won’t have admin rights but you can logon.
To join the server to the domain, you need admin rights on the
member server but not necessarily admin rights in AD (hence the ms-DS-MachineAccountQuota
issue) and if YOU built the server, you’ll be admin.
All Domain Users, by default, can also logon locally to any
Server in the domain. Unless you change the User rights assignment on a LSP or on
a GP that’s got the server in its SOM, that’s how it’ll be (the setting is “not
defined” by default).
Regards,
Austin
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Pettersson
Henrik
Sent: 25 October 2007 13:54
To: ActiveDir@mail.activedir.org
Subject: SV: SV: [ActiveDir] Adding Servers to AD
” I think what Henrik is asking is how are these
users able to logon to a server to do the join? Servers are not normally
accessible for logon by all users. While your group might have the
ability to create a computer account in AD for a server/workstation, only
someone with local admin authority on the server can do the join. I had
the same question in my mind when I saw your question originally.
Mike Thommes”
Japp….that’s correct, that’s what I wondered. The easiest way to do
this…in my opinion (if you want a special group to join computers/servers to
AD) is to create groups based on WMI-filters.
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM AB
(publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] För Thommes, Michael M.
Skickat: den 25 oktober 2007 13:52
Till: ActiveDir@mail.activedir.org
Ämne: RE: SV: [ActiveDir] Adding Servers to AD
I think what Henrik is asking is how are these users able to logon
to a server to do the join? Servers are not normally accessible for logon
by all users. While your group might have the ability to create a
computer account in AD for a server/workstation, only someone with local admin
authority on the server can do the join. I had the same question in my
mind when I saw your question originally.
Mike Thommes
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: Thursday, October 25, 2007 6:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: SV: [ActiveDir] Adding Servers to AD
Some user have
rights to add computer objects to the domain. They are only suppose to be
adding their local computers but there is nothing stopping them from
adding a server. Say if they install 2k3 server on a laptop or buy a
server without the corp office knowing. We have a network with over
100,000 users and about 100 sites so we want to prevent the remote users from
doing this. It does not happen often but we dont want to take a chance.
----- Original
Message ----
From: Pettersson Henrik
To: ActiveDir@mail.activedir.org
Sent: Thursday, October 25, 2007 6:33:45 AM
Subject: SV: [ActiveDir] Adding Servers to AD
This users, why should they have access to servers?? Or do they
join computers via any tools??
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM AB (publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] För peter.t.johnson@accenture.com
Skickat: den 24 oktober 2007 15:13
Till: ActiveDir@mail.activedir.org
Ämne: RE: [ActiveDir] Adding Servers to AD
I would do this with powershell. Much easier and a concrete reason
to learn the new tech.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 15:08
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding Servers to AD
Thats what I
am working on now. Does anyone have a sample VBscript to search for server 2003
computers and disable. I will edit to only search some OU's.
----- Original
Message ----
From: "peter.t.johnson@accenture.com"
To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 24, 2007 8:43:04 AM
Subject: RE: [ActiveDir] Adding Servers to AD
Not as far as I know. At least not with native tools as the system
doesnʼt differentiate between Servers and workstations at this level. You might
be able to come up with a script that runs on a schedule and confirms that a
machine in the OU is a server and then disable its account and wait for the
screaming. You would be able to do this with WMI.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding Servers to AD
Win2k3 AD in
native mode.
Have delegated control to several users in remote sites to be able to add
computer objects to the domain. Is there a way to prevent these users from
adding servers to the domain. We want them to only be able to add workstations.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message may contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a digitally signed version. | | | |
| austin
Posts:8
| | 10/25/2007 9:52 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
As an addendum, On member servers joined to a domain, Domain
users are explicitly given the user right to logon locally by virtue of
membership of the Users local group on the server.
So, by default, whether on a domain or not, if you have an
account on a Windows server, you can logon locally. The Exception to this is
DCs where, by default, only DAs+ can logon locally.
Regards,
Austin
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Austin Osuide
Sent: 25 October 2007 14:43
To: ActiveDir@mail.activedir.org
Subject: RE: SV: [ActiveDir] Adding Servers to AD
I wonder where the idea that “Servers are not normally accessible for logon by all
users” comes from!
If you have an account on a “workgroup” server you can logon to
it locally by default. You won’t have admin rights but you can logon.
To join the server to the domain, you need admin rights on the
member server but not necessarily admin rights in AD (hence the
ms-DS-MachineAccountQuota issue) and if YOU built the server, you’ll be admin.
All Domain Users, by default, can also logon locally to any
Server in the domain. Unless you change the User rights assignment on a LSP or
on a GP that’s got the server in its SOM, that’s how it’ll be (the setting is
“not defined” by default).
Regards,
Austin
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Pettersson
Henrik
Sent: 25 October 2007 13:54
To: ActiveDir@mail.activedir.org
Subject: SV: SV: [ActiveDir] Adding Servers to AD
” I think what Henrik is asking is how are these
users able to logon to a server to do the join? Servers are not normally
accessible for logon by all users. While your group might have the
ability to create a computer account in AD for a server/workstation, only
someone with local admin authority on the server can do the join. I had
the same question in my mind when I saw your question originally.
Mike Thommes”
Japp….that’s correct, that’s what I wondered. The easiest way to do
this…in my opinion (if you want a special group to join computers/servers to
AD) is to create groups based on WMI-filters.
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM AB
(publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] För
Thommes, Michael M.
Skickat: den 25 oktober 2007 13:52
Till: ActiveDir@mail.activedir.org
Ämne: RE: SV: [ActiveDir] Adding Servers to AD
I think what Henrik is asking is how are these users able to logon
to a server to do the join? Servers are not normally accessible for logon
by all users. While your group might have the ability to create a
computer account in AD for a server/workstation, only someone with local admin
authority on the server can do the join. I had the same question in my
mind when I saw your question originally.
Mike Thommes
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: Thursday, October 25, 2007 6:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: SV: [ActiveDir] Adding Servers to AD
Some user have
rights to add computer objects to the domain. They are only suppose to be
adding their local computers but there is nothing stopping them from
adding a server. Say if they install 2k3 server on a laptop or buy a
server without the corp office knowing. We have a network with over
100,000 users and about 100 sites so we want to prevent the remote users from
doing this. It does not happen often but we dont want to take a chance.
----- Original
Message ----
From: Pettersson Henrik
To: ActiveDir@mail.activedir.org
Sent: Thursday, October 25, 2007 6:33:45 AM
Subject: SV: [ActiveDir] Adding Servers to AD
This users, why should they have access to servers?? Or do they
join computers via any tools??
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM AB (publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] För peter.t.johnson@accenture.com
Skickat: den 24 oktober 2007 15:13
Till: ActiveDir@mail.activedir.org
Ämne: RE: [ActiveDir] Adding Servers to AD
I would do this with powershell. Much easier and a concrete reason
to learn the new tech.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of mck1012
Sent: 24 October 2007 15:08
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding Servers to AD
Thats what I
am working on now. Does anyone have a sample VBscript to search for server 2003
computers and disable. I will edit to only search some OU's.
----- Original
Message ----
From: "peter.t.johnson@accenture.com"
To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 24, 2007 8:43:04 AM
Subject: RE: [ActiveDir] Adding Servers to AD
Not as far as I know. At least not with native tools as the system
doesnʼt differentiate between Servers and workstations at this level. You might
be able to come up with a script that runs on a schedule and confirms that a
machine in the OU is a server and then disable its account and wait for the
screaming. You would be able to do this with WMI.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding Servers to AD
Win2k3 AD in
native mode.
Have delegated control to several users in remote sites to be able to add
computer objects to the domain. Is there a way to prevent these users from
adding servers to the domain. We want them to only be able to add workstations.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message may contain
confidential information and is intended only for the individual named.
If you are not the named addressee you should not disseminate, distribute or
copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail
by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free as information
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses.
The sender therefore does not accept liability for any errors or omissions in
the contents of this message, which arise as a result of e-mail transmission.
If verification is required please request a digitally signed version.
This message may contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a digitally signed version. | | | |
| MThommes
Posts:74
| | 10/25/2007 10:18 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
st1\:*{behavior:url(#default#ieooui) }
Hi Austin,
(Just when
I think I know something about Windows, I am reminded otherwise!). Knowing
your extensive knowledge, I just tried logging into a server with my regular
user account and found out, “yes, I could!” Wow! I think it’s a case where we
keep our servers physically locked down like our DCs. Access to the servers by
regular users then would only be by Remote Desktop and they are prevented from
doing that by policy. I guess I was assuming too much regarding User Rights
Assignments. I will get this changed post haste. Thanks!
Mike Thommes
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Austin Osuide
Sent: Thursday, October 25, 2007
8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: SV: [ActiveDir]
Adding Servers to AD
I wonder where the
idea that “Servers are not normally accessible for logon by all
users” comes
from!
If you have an
account on a “workgroup” server you can logon to it locally by default. You
won’t have admin rights but you can logon.
To join the server
to the domain, you need admin rights on the member server but not necessarily
admin rights in AD (hence the ms-DS-MachineAccountQuota issue) and if YOU built
the server, you’ll be admin.
All Domain Users, by
default, can also logon locally to any Server in the domain. Unless you change
the User rights assignment on a LSP or on a GP that’s got the server in its
SOM, that’s how it’ll be (the setting is “not defined” by default).
Regards,
Austin
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Pettersson Henrik
Sent: 25 October 2007 13:54
To: ActiveDir@mail.activedir.org
Subject: SV: SV: [ActiveDir]
Adding Servers to AD
” I think what Henrik
is asking is how are these users able to logon to a server to do the
join? Servers are not normally accessible for logon by all
users. While your group might have the ability to create a computer
account in AD for a server/workstation, only someone with local admin authority
on the server can do the join. I had the same question in my mind when I
saw your question originally.
Mike
Thommes”
Japp….that’s correct, that’s what I
wondered. The easiest way to do this…in my opinion (if you want a special group
to join computers/servers to AD) is to create groups based on WMI-filters.
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM
AB (publ)
556072-6977
IT-Drift
Tfn nr: +46
(0)8670 30 86
Mobil nr: +46 (0)70 450
19 03
Fax nr: +46 (0)10 450
19 88
E-mail: henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] För Thommes,
Michael M.
Skickat: den 25 oktober 2007 13:52
Till: ActiveDir@mail.activedir.org
Ämne: RE: SV: [ActiveDir] Adding
Servers to AD
I think what
Henrik is asking is how are these users able to logon to a server to do the
join? Servers are not normally accessible for logon by all
users. While your group might have the ability to create a computer
account in AD for a server/workstation, only someone with local admin authority
on the server can do the join. I had the same question in my mind when I
saw your question originally.
Mike Thommes
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: Thursday, October 25, 2007
6:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: SV: [ActiveDir]
Adding Servers to AD
Some user have rights to
add computer objects to the domain. They are only suppose to be adding their
local computers but there is nothing stopping them from adding a server.
Say if they install 2k3 server on a laptop or buy a server without the
corp office knowing. We have a network with over 100,000 users and about 100
sites so we want to prevent the remote users from doing this. It does not
happen often but we dont want to take a chance.
----- Original Message
----
From: Pettersson Henrik
To: ActiveDir@mail.activedir.org
Sent: Thursday, October 25, 2007 6:33:45 AM
Subject: SV: [ActiveDir] Adding Servers to AD
This users, why should
they have access to servers?? Or do they join computers via any tools??
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM AB (publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] För peter.t.johnson@accenture.com
Skickat: den 24 oktober 2007 15:13
Till: ActiveDir@mail.activedir.org
Ämne: RE: [ActiveDir] Adding
Servers to AD
I would do this with powershell. Much
easier and a concrete reason to learn the new tech.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 15:08
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding
Servers to AD
Thats what I am working
on now. Does anyone have a sample VBscript to search for server 2003 computers
and disable. I will edit to only search some OU's.
----- Original Message
----
From: "peter.t.johnson@accenture.com"
To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 24, 2007 8:43:04 AM
Subject: RE: [ActiveDir] Adding Servers to AD
Not as far as I know. At least not with
native tools as the system doesnʼt differentiate between Servers and
workstations at this level. You might be able to come up with a script that
runs on a schedule and confirms that a machine in the OU is a server and then
disable its account and wait for the screaming. You would be able to do this
with WMI.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: 24 October 2007 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding
Servers to AD
Win2k3 AD in native mode.
Have delegated control to several users in remote sites to be able to add
computer objects to the domain. Is there a way to prevent these users from
adding servers to the domain. We want them to only be able to add workstations.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message may contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a digitally signed version. | | | |
| listmail
Posts:454
| | 10/25/2007 12:50 PM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Cambria;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Verdana;
}
@font-face {
font-family: Comic Sans MS;
}
@font-face {
font-family: Book Antiqua;
}
@page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 90.0pt 72.0pt 90.0pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
H1 {
FONT-WEIGHT: bold; FONT-SIZE: 14pt; MARGIN: 12pt 0cm 3pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 9; mso-style-link: "Heading 1 Char"
}
H2 {
FONT-WEIGHT: bold; FONT-SIZE: 12pt; MARGIN: 12pt 0cm 3pt; FONT-STYLE: italic; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 9; mso-style-link: "Heading 2 Char"
}
H3 {
FONT-WEIGHT: normal; FONT-SIZE: 12pt; MARGIN: 12pt 0cm 3pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 9; mso-style-link: "Heading 3 Char"
}
P.MsoHeader {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-link: "Header Char"
}
LI.MsoHeader {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-link: "Header Char"
}
DIV.MsoHeader {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-link: "Header Char"
}
P.MsoFooter {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-link: "Footer Char"
}
LI.MsoFooter {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-link: "Footer Char"
}
DIV.MsoFooter {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-link: "Footer Char"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0cm; MARGIN-RIGHT: 0cm; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.Heading1Char {
FONT-WEIGHT: bold; COLOR: #365f91; FONT-FAMILY: "Cambria","serif"; mso-style-priority: 9; mso-style-link: "Heading 1"; mso-style-name: "Heading 1 Char"
}
SPAN.Heading2Char {
FONT-WEIGHT: bold; COLOR: #4f81bd; FONT-FAMILY: "Cambria","serif"; mso-style-priority: 9; mso-style-link: "Heading 2"; mso-style-name: "Heading 2 Char"
}
SPAN.Heading3Char {
FONT-WEIGHT: bold; COLOR: #4f81bd; FONT-FAMILY: "Cambria","serif"; mso-style-priority: 9; mso-style-link: "Heading 3"; mso-style-name: "Heading 3 Char"
}
SPAN.HeaderChar {
FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 99; mso-style-link: Header; mso-style-name: "Header Char"
}
SPAN.FooterChar {
FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 99; mso-style-link: Footer; mso-style-name: "Footer Char"
}
P.ablockpara {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: ablockpara
}
LI.ablockpara {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: ablockpara
}
DIV.ablockpara {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: ablockpara
}
P.abullet {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: abullet
}
LI.abullet {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: abullet
}
DIV.abullet {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: abullet
}
P.aindentedbullet {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 33.1pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedbullet
}
LI.aindentedbullet {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 33.1pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedbullet
}
DIV.aindentedbullet {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 33.1pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedbullet
}
P.aindentedpara {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedpara
}
LI.aindentedpara {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedpara
}
DIV.aindentedpara {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedpara
}
P.ablockpara0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: ablockpara0
}
LI.ablockpara0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: ablockpara0
}
DIV.ablockpara0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: ablockpara0
}
P.abullet0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: abullet0
}
LI.abullet0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: abullet0
}
DIV.abullet0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: abullet0
}
P.aindentedbullet0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 33.1pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedbullet0
}
LI.aindentedbullet0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 33.1pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedbullet0
}
DIV.aindentedbullet0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 33.1pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedbullet0
}
P.aindentedpara0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedpara0
}
LI.aindentedpara0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedpara0
}
DIV.aindentedpara0 {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 16.55pt; FONT-FAMILY: "Book Antiqua","serif"; mso-style-priority: 99; mso-style-name: aindentedpara0
}
SPAN.emailstyle23 {
COLOR: navy; FONT-FAMILY: "Arial","sans-serif"; mso-style-name: emailstyle23
}
SPAN.e-postmall29 {
COLOR: navy; FONT-FAMILY: "Arial","sans-serif"; mso-style-name: e-postmall29
}
SPAN.e-postmall30 {
FONT-WEIGHT: normal; COLOR: blue; FONT-STYLE: normal; FONT-FAMILY: "Verdana","sans-serif"; TEXT-DECORATION: none; mso-style-name: e-postmall30
}
SPAN.EmailStyle36 {
FONT-WEIGHT: normal; COLOR: blue; FONT-STYLE: normal; FONT-FAMILY: "Comic Sans MS"; TEXT-DECORATION: none; mso-style-type: personal
}
SPAN.EmailStyle37 {
FONT-WEIGHT: normal; COLOR: blue; FONT-STYLE: normal; FONT-FAMILY: "Verdana","sans-serif"; TEXT-DECORATION: none; mso-style-type: personal
}
SPAN.EmailStyle38 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle40 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Well with DCs it is DAs, EAs, Acc Ops, Serv Ops, etc... But
effectively, or at least it should be effectively because people shouldn't be
using the other builtin groups, it should just be DAs.
On members, local logon is enabled because many client
server apps need that in order to function such as IIS apps, etc.
I recall once that an Exchange team added rcmd to all of
the Exchange servers, then I, who wasn't an Exchange admin, rcmd'ed right into
their servers and was poking around. They couldn't shut off my ability to log on
as Exchange stufff wouldn't work properly LOL. so they have to kill rcmd off
their servers, I almost wrote them a version of rcmd that looked at a special
security group and then just decided nah, not worth the bother as I didn't
support those servers lol.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Austin
OsuideSent: Thursday, October 25, 2007 9:52 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: SV: [ActiveDir] Adding
Servers to AD
As
an addendum, On member servers joined to a domain, Domain users are explicitly
given the user right to logon locally by virtue of membership of the Users local
group on the server.
So,
by default, whether on a domain or not, if you have an account on a Windows
server, you can logon locally. The Exception to this is DCs where, by default,
only DAs+ can logon locally.
Regards,
Austin
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Austin OsuideSent: 25 October 2007
14:43To: ActiveDir@mail.activedir.orgSubject: RE: SV:
[ActiveDir] Adding Servers to AD
I
wonder where the idea that “Servers
are not
normally accessible for logon by all users”
comes from!
If
you have an account on a “workgroup” server you can logon to it locally by
default. You won’t have admin rights but you can logon.
To
join the server to the domain, you need admin rights on the member server but
not necessarily admin rights in AD (hence the ms-DS-MachineAccountQuota issue)
and if YOU built the server, you’ll be admin.
All
Domain Users, by default, can also logon locally to any Server in the domain.
Unless you change the User rights assignment on a LSP or on a GP that’s got the
server in its SOM, that’s how it’ll be (the setting is “not defined” by
default).
Regards,
Austin
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Pettersson HenrikSent: 25 October 2007
13:54To: ActiveDir@mail.activedir.orgSubject: SV: SV:
[ActiveDir] Adding Servers to AD
”
I think what
Henrik is asking is how are these users able to logon to a server to do the
join? Servers are not normally accessible for logon by all
users. While your group might have the ability to create a computer
account in AD for a server/workstation, only someone with local admin authority
on the server can do the join. I had the same question in my mind when I
saw your question originally.
Mike
Thommes”
Japp….that’s
correct, that’s what I wondered. The easiest way to do this…in my opinion (if
you want a special group to join computers/servers to AD) is to create groups
based on WMI-filters.
Henrik
Pettersson
IT-tekniker
PREEM
PETROLEUM AB (publ)
556072-6977
IT-Drift
Tfn
nr: +46 (0)8670 30 86Mobil
nr: +46 (0)70 450 19 03Fax
nr: +46 (0)10 450 19 88E-mail:
henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
För Thommes, Michael M.Skickat: den 25 oktober 2007
13:52Till: ActiveDir@mail.activedir.orgÄmne: RE: SV:
[ActiveDir] Adding Servers to AD
I think what
Henrik is asking is how are these users able to logon to a server to do the
join? Servers are not normally accessible for logon by all
users. While your group might have the ability to create a computer
account in AD for a server/workstation, only someone with local admin authority
on the server can do the join. I had the same question in my mind when I
saw your question originally.
Mike
Thommes
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of mck1012Sent: Thursday, October 25, 2007 6:43
AMTo: ActiveDir@mail.activedir.orgSubject: Re: SV:
[ActiveDir] Adding Servers to AD
Some user have
rights to add computer objects to the domain. They are only suppose to be adding
their local computers but there is nothing stopping them from adding a
server. Say if they install 2k3 server on a laptop or buy a server without
the corp office knowing. We have a network with over 100,000 users and about 100
sites so we want to prevent the remote users from doing this. It does not happen
often but we dont want to take a chance.
----- Original
Message ----From: Pettersson Henrik
To: ActiveDir@mail.activedir.orgSent:
Thursday, October 25, 2007 6:33:45 AMSubject: SV: [ActiveDir] Adding Servers
to AD
This
users, why should they have access to servers?? Or do they join computers via
any tools??
Henrik
Pettersson
IT-tekniker
PREEM
PETROLEUM AB (publ)
556072-6977
IT-Drift
Tfn
nr: +46 (0)8670 30 86Mobil
nr: +46 (0)70 450 19 03Fax
nr: +46 (0)10 450 19 88E-mail:
henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
För peter.t.johnson@accenture.comSkickat: den 24 oktober 2007
15:13Till: ActiveDir@mail.activedir.orgÄmne: RE:
[ActiveDir] Adding Servers to AD
I would
do this with powershell. Much easier and a concrete reason to learn the new
tech.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of mck1012Sent: 24 October 2007 15:08To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Adding Servers
to AD
Thats what I am
working on now. Does anyone have a sample VBscript to search for server 2003
computers and disable. I will edit to only search some
OU's.
----- Original
Message ----From: "peter.t.johnson@accenture.com"
To:
ActiveDir@mail.activedir.orgSent: Wednesday, October 24, 2007 8:43:04
AMSubject: RE: [ActiveDir] Adding Servers to AD
Not as
far as I know. At least not with native tools as the system doesnʼt
differentiate between Servers and workstations at this level. You might be able
to come up with a script that runs on a schedule and confirms that a machine in
the OU is a server and then disable its account and wait for the screaming. You
would be able to do this with WMI.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of mck1012Sent: 24 October 2007 13:03To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Adding Servers to
AD
Win2k3 AD in
native mode.Have delegated control to several users in remote sites to
be able to add computer objects to the domain. Is there a way to prevent these
users from adding servers to the domain. We want them to only be able to add
workstations.
__________________________________________________Do You
Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
This message is for
the designated recipient only and may contain privileged, proprietary, or
otherwise private information. If you have received it in error, please notify
the sender immediately and delete the original. Any other use of the email by
you is prohibited.
__________________________________________________Do You
Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
This message is for
the designated recipient only and may contain privileged, proprietary, or
otherwise private information. If you have received it in error, please notify
the sender immediately and delete the original. Any other use of the email by
you is prohibited.
__________________________________________________Do You
Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message may contain
confidential information and is intended only for the individual named. If
you are not the named addressee you should not disseminate, distribute or copy
this e-mail. Please notify the sender immediately by e-mail if you have
received this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not accept
liability for any errors or omissions in the contents of this message, which
arise as a result of e-mail transmission. If verification is required please
request a digitally signed version.
This message may contain confidential information
and is intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this e-mail by
mistake and delete this e-mail from your system. E-mail transmission cannot
be guaranteed to be secure or error-free as information could be intercepted,
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message, which arise as a result of e-mail transmission.
If verification is required please request a digitally signed
version. | | | |
| guyt1799190425
Posts:36
| | 10/27/2007 7:41 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
I would do the following:
1)
Set ms-DS-MachineAccountQuota to 0
2)
Delegate
creation/deletion of computer accounts in dedicated server/workstation OUs, but
not in the Computers container, resulting the user that joins the computer to
the domain either has to pre-create the account or to use netdom with target OU
as parameter.
3)
Give the remote site
admins permissions to create/delete computer accounts only in the workstations
OUs
4)
Run a scheduled job
that queries the workstation OUs, looks for server computer accounts and
disables those:
a. dsquery * "ou=workstations,dc=domain,dc=net" -filter
"(&(objectcategory=computer)(operatingsystem=*server*))"
b. pipe the results to “dsmod computer –disabled yes”
5)
Step 4 could be a bit
problematic if the users decide to join Samba servers to AD, but you could,
instead of looking for “server” in the name of the operating system, just scope
it based on the allowed client OS names and negate it:
"(&(objectcategory=computer)(!operatingsystem=Windows
XP*)(!operatingsystem=Windows Vista*)(!operatingsystem=yada yada))"
Guy
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of mck1012
Sent: Thursday, October 25, 2007 2:01 PM
To: ActiveDir@mail.activedir.org
Subject: Re: SV: [ActiveDir] Adding Servers to AD
These are servers they are
installing. Anyone can install server create their own local admin account and
if they have the rights to join a computer object to the domain they can join
that server to the domain.
----- Original Message ----
From: "Thommes, Michael M."
To: ActiveDir@mail.activedir.org
Sent: Thursday, October 25, 2007 7:51:52 AM
Subject: RE: SV: [ActiveDir] Adding Servers to AD
I think what Henrik is asking is how are these users able to logon
to a server to do the join? Servers are not normally accessible for logon
by all users. While your group might have the ability to create a
computer account in AD for a server/workstation, only someone with local admin
authority on the server can do the join. I had the same question in my
mind when I saw your question originally.
Mike Thommes
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: Thursday, October 25, 2007 6:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: SV: [ActiveDir] Adding Servers to AD
Some user have rights to add computer
objects to the domain. They are only suppose to be adding their local computers
but there is nothing stopping them from adding a server. Say if they
install 2k3 server on a laptop or buy a server without the corp office
knowing. We have a network with over 100,000 users and about 100 sites so we
want to prevent the remote users from doing this. It does not happen often but
we dont want to take a chance.
----- Original Message ----
From: Pettersson Henrik
To: ActiveDir@mail.activedir.org
Sent: Thursday, October 25, 2007 6:33:45 AM
Subject: SV: [ActiveDir] Adding Servers to AD
This users, why should they have access to servers?? Or do they
join computers via any tools??
Henrik Pettersson
IT-tekniker
PREEM PETROLEUM AB (publ) 556072-6977
IT-Drift
Tfn nr: +46 (0)8670 30 86
Mobil nr: +46 (0)70 450 19 03
Fax nr: +46 (0)10 450 19 88
E-mail: henrik.pettersson@preem.se
Från:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] För
peter.t.johnson@accenture.com
Skickat: den 24 oktober 2007 15:13
Till: ActiveDir@mail.activedir.org
Ämne: RE: [ActiveDir] Adding Servers to AD
I would do this with powershell. Much easier and a concrete reason
to learn the new tech.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of mck1012
Sent: 24 October 2007 15:08
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding Servers to AD
Thats what I am working on now.
Does anyone have a sample VBscript to search for server 2003 computers and
disable. I will edit to only search some OU's.
----- Original Message ----
From: "peter.t.johnson@accenture.com"
To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 24, 2007 8:43:04 AM
Subject: RE: [ActiveDir] Adding Servers to AD
Not as far as I know. At least not with native tools as the system
doesnʼt differentiate between Servers and workstations at this level. You might
be able to come up with a script that runs on a schedule and confirms that a
machine in the OU is a server and then disable its account and wait for the
screaming. You would be able to do this with WMI.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of mck1012
Sent: 24 October 2007 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding Servers to AD
Win2k3 AD in native mode.
Have delegated control to several users in remote sites to be able to add
computer objects to the domain. Is there a way to prevent these users from
adding servers to the domain. We want them to only be able to add workstations.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message
is for the designated recipient only and may contain privileged, proprietary,
or otherwise private information. If you have received it in error, please
notify the sender immediately and delete the original. Any other use of the
email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This message
is for the designated recipient only and may contain privileged, proprietary,
or otherwise private information. If you have received it in error, please
notify the sender immediately and delete the original. Any other use of the
email by you is prohibited.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com | | | |
|
|