| Author | Messages | |
y2k
Posts:41
 | | 07/02/2009 4:33 PM |
| Hi All
We've got some imaging software which also joins our PC's to the
domain for us and put's them in the correct OU. I'm trying to give
the services account that this software runs under, permissions to
create computer accounts in the appropriate OU's but I'm not having
much luck ! The OU is called SITE1, so I've gone to the permissions
of SITE1 and selected Organizatonal Unit objects in the "Apply onto"
drop down menu and then allowed the "Create computer objects"
permission to the relative account. But when sysprep runs and tries
to add the machine do the domain into that account, it says that the
account doesn't her permissions.
What have I done wrong !! Do I need to apply this permission at the
parent OU level ?
Thanks !
Martin
| | | |
| PARRIS
Posts:291
| | 07/02/2009 4:48 PM |
| What I do is - give the joindomain account Create and Delete computer objects and then give the account full control of said computer objects.
------Original Message------
From: Martin McDermott
Sender: activedir-owner@mail.activedir.org
To: ActiveDir
ReplyTo: ActiveDir
Subject: [ActiveDir] Permissions Required to add PC to OU
Sent: 2 Jul 2009 16:32
Hi All
We've got some imaging software which also joins our PC's to the
domain for us and put's them in the correct OU. I'm trying to give
the services account that this software runs under, permissions to
create computer accounts in the appropriate OU's but I'm not having
much luck ! The OU is called SITE1, so I've gone to the permissions
of SITE1 and selected Organizatonal Unit objects in the "Apply onto"
drop down menu and then allowed the "Create computer objects"
permission to the relative account. But when sysprep runs and tries
to add the machine do the domain into that account, it says that the
account doesn't her permissions.
What have I done wrong !! Do I need to apply this permission at the
parent OU level ?
Thanks !
Martin
Regards,
Mark Parris
MVP, Directory Services
[ADUG] UK Active Directory User Group
http://adug.co.uk | | | |
| hboogz
Posts:71
| | 07/02/2009 4:49 PM |
| Mark, How do you automate giving the joindomain account full control of said
computer objects ?
On Thu, Jul 2, 2009 at 11:47 AM, Mark Parris (L) <lists@baseit.co.uk> wrote:
> What I do is - give the joindomain account Create and Delete computer
> objects and then give the account full control of said computer objects.
>
>
> ------Original Message------
> From: Martin McDermott
> Sender: activedir-owner@mail.activedir.org
> To: ActiveDir
> ReplyTo: ActiveDir
> Subject: [ActiveDir] Permissions Required to add PC to OU
> Sent: 2 Jul 2009 16:32
>
> Hi All
>
> We've got some imaging software which also joins our PC's to the
> domain for us and put's them in the correct OU. I'm trying to give
> the services account that this software runs under, permissions to
> create computer accounts in the appropriate OU's but I'm not having
> much luck ! The OU is called SITE1, so I've gone to the permissions
> of SITE1 and selected Organizatonal Unit objects in the "Apply onto"
> drop down menu and then allowed the "Create computer objects"
> permission to the relative account. But when sysprep runs and tries
> to add the machine do the domain into that account, it says that the
> account doesn't her permissions.
>
> What have I done wrong !! Do I need to apply this permission at the
> parent OU level ?
>
> Thanks !
> Martin
>
>
> Regards,
>
> Mark Parris
> MVP, Directory Services
>
> [ADUG] UK Active Directory User Group
> http://adug.co.uk
| | | |
| ZJORZ
Posts:363
| | 07/02/2009 4:52 PM |
| See:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
Met vriendelijke groeten / Kind regards,
Jorge de Almeida Pinto | Senior Technical Consultant | MVP IdA-DS | Oxford Computer Group BeNeLux
O: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (Unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
(MVP Profile) (Blog)
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Martin McDermott
Sent: Thursday, July 02, 2009 17:32
To: activedir@mail.activedir.org
Subject: [ActiveDir] Permissions Required to add PC to OU
Hi All
We've got some imaging software which also joins our PC's to the
domain for us and put's them in the correct OU. I'm trying to give
the services account that this software runs under, permissions to
create computer accounts in the appropriate OU's but I'm not having
much luck ! The OU is called SITE1, so I've gone to the permissions
of SITE1 and selected Organizatonal Unit objects in the "Apply onto"
drop down menu and then allowed the "Create computer objects"
permission to the relative account. But when sysprep runs and tries
to add the machine do the domain into that account, it says that the
account doesn't her permissions.
What have I done wrong !! Do I need to apply this permission at the
parent OU level ?
Thanks !
Martin
__________ Information from ESET Smart Security, version of virus signature database 4209 (20090702) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 4209 (20090702) __________
The message was checked by ESET Smart Security.
http://www.eset.com
| | | |
| y2k
Posts:41
| | 07/02/2009 4:54 PM |
| wow ... quick repy mark !
just one question
>> give the account full control of said computer objects
You mean give the account the "Write all properties" permission for
computer objects ?
Thanks !
Martin
2009/7/2 Mark Parris (L) <lists@baseit.co.uk>:
> What I do is - give the joindomain account Create and Delete computer objects and then give the account full control of said computer objects.
>
>
> ------Original Message------
> From: Martin McDermott
> Sender: activedir-owner@mail.activedir.org
> To: ActiveDir
> ReplyTo: ActiveDir
> Subject: [ActiveDir] Permissions Required to add PC to OU
> Sent: 2 Jul 2009 16:32
>
> Hi All
>
> We've got some imaging software which also joins our PC's to the
> domain for us and put's them in the correct OU. I'm trying to give
> the services account that this software runs under, permissions to
> create computer accounts in the appropriate OU's but I'm not having
> much luck ! The OU is called SITE1, so I've gone to the permissions
> of SITE1 and selected Organizatonal Unit objects in the "Apply onto"
> drop down menu and then allowed the "Create computer objects"
> permission to the relative account. But when sysprep runs and tries
> to add the machine do the domain into that account, it says that the
> account doesn't her permissions.
>
> What have I done wrong !! Do I need to apply this permission at the
> parent OU level ?
>
> Thanks !
> Martin
>
>
> Regards,
>
> Mark Parris
> MVP, Directory Services
>
> [ADUG] UK Active Directory User Group
> http://adug.co.uk
| | | |
| TG
Posts:298
| | 07/02/2009 5:00 PM |
| Per Microsoft article (http://support.microsoft.com/kb/932455/en-us) and
my testing the following grants sufficient rights to
urgroupname@urdomain.tld to add devices to a domain.
dsacls "OU=site1,DC=urdomain,DC=tld" /I:S /G
urgroupname@urdomain.tld:WS;;computer
dsacls "OU=site1,DC=urdomain,DC=tld" /I:S /G
urgroupname@urdomain.tld:RPWP;"Account Restrictions";computer
dsacls "OU=site1,DC=urdomain,DC=tld" /I:S /G
urgroupname@urdomain.tld:CA;"Reset Password";computer
Also need to grant the right/priv to the group in the group policy to add
workstations to the domain.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 | USA
Tel 847.295.5000 x37892 | Fax 847.883.7892
tony dot gordon at hewitt dot tld | www.hewitt.com
P Please consider the environment before printing this e-mail.
From:
"Martin McDermott" <martiniscool@gmail.com>
To:
activedir@mail.activedir.org
Date:
07/02/2009 10:31 AM
Subject:
[ActiveDir] Permissions Required to add PC to OU
Sent by:
activedir-owner@mail.activedir.org
Hi All
We've got some imaging software which also joins our PC's to the
domain for us and put's them in the correct OU. I'm trying to give
the services account that this software runs under, permissions to
create computer accounts in the appropriate OU's but I'm not having
much luck ! The OU is called SITE1, so I've gone to the permissions
of SITE1 and selected Organizatonal Unit objects in the "Apply onto"
drop down menu and then allowed the "Create computer objects"
permission to the relative account. But when sysprep runs and tries
to add the machine do the domain into that account, it says that the
account doesn't her permissions.
What have I done wrong !! Do I need to apply this permission at the
parent OU level ?
Thanks !
Martin
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| y2k
Posts:41
| | 07/02/2009 5:13 PM |
| Thanks Tony, one question for you also !
>> Also need to grant the right/priv to the group in the group policy to add workstations to the domain.
I presume you are referring to the "Add workstations to domain" right
? I understood that this is only used in cases where the user does
NOT have permissions to write to the destination container ?
| | | |
| PARRIS
Posts:291
| | 07/02/2009 6:18 PM |
| No, go through the wizard twice - setting once the create and delete and then again granting full control. I then repeat this for what ever OU/Service Account needs it.
------Original Message------
From: Martin McDermott
Sender: activedir-owner@mail.activedir.org
To: ActiveDir
ReplyTo: ActiveDir
Subject: Re: [ActiveDir] Permissions Required to add PC to OU
Sent: 2 Jul 2009 16:52
wow ... quick repy mark !
just one question
>> give the account full control of said computer objects
You mean give the account the "Write all properties" permission for
computer objects ?
Thanks !
Martin
2009/7/2 Mark Parris (L) <lists@baseit.co.uk>:
> What I do is - give the joindomain account Create and Delete computer objects and then give the account full control of said computer objects.
>
>
> ------Original Message------
> From: Martin McDermott
> Sender: activedir-owner@mail.activedir.org
> To: ActiveDir
> ReplyTo: ActiveDir
> Subject: [ActiveDir] Permissions Required to add PC to OU
> Sent: 2 Jul 2009 16:32
>
> Hi All
>
> We've got some imaging software which also joins our PC's to the
> domain for us and put's them in the correct OU. I'm trying to give
> the services account that this software runs under, permissions to
> create computer accounts in the appropriate OU's but I'm not having
> much luck ! The OU is called SITE1, so I've gone to the permissions
> of SITE1 and selected Organizatonal Unit objects in the "Apply onto"
> drop down menu and then allowed the "Create computer objects"
> permission to the relative account. But when sysprep runs and tries
> to add the machine do the domain into that account, it says that the
> account doesn't her permissions.
>
> What have I done wrong !! Do I need to apply this permission at the
> parent OU level ?
>
> Thanks !
> Martin
>
>
> Regards,
>
> Mark Parris
> MVP, Directory Services
>
> [ADUG] UK Active Directory User Group
> http://adug.co.uk
Regards,
Mark Parris
MVP, Directory Services
[ADUG] UK Active Directory User Group
http://adug.co.uk | | | |
|
|