Delegating renaming computer objects

  • 1.4K Views
  • Last Post 18 April 2016
jkrabacher3 posted this 04 March 2009

Hello,
I'm trying to delegate administration of computer objects and I'm running into some problems. I've created a group and delegated it full control over computer objects in the Computers container. While logged on to a workstation as local admin I can add the computer to the domain by using an account that's a member of this group when prompted. When I change the workstation membership from domain to workgroup using these same credentials everything appears to work on the workstation side but the computer object isn't removed from AD. It is disabled though and I can manually remove the object using the same credentials. If I attempt to rename the computer while it's a member of the domain I get an 'access denied' error kicked back.

I want to be able to rename a computer without having to disjoin it from the domain. Everything I've seen says that I should be able to do this given my current configuration but I can't. And it would be nice if the computer object was removed from AD when changing from domain to workgroup on the workstation but this isn't of as much concern to me. Any suggestions?

Thanks,
John

Order By: Standard | Newest | Votes
webster posted this 18 April 2016

https://technet.microsoft.com/en-us/library/hh849792.aspx

 

 

Webster

 

show

PLeathen posted this 11 March 2009


I'm not sure why you've removed this and personally I wouldn't recommend removing authenticated users from the Pre-Windows 2000 Compatible Access group, as this is a default out of the box setting and is tied into so many other things, but you can try adding the security group you've delegated the rename computer accounts to the Pre-Windows 2000 Compatible Access group and see if this works. That way it's also still locked down to just the members of that particular group.

show

jkrabacher3 posted this 11 March 2009

Right, but in my environment Authenticated Users has been removed from Pre-Windows 2000 Compatible Access and that's why the delegated account wouldn't work.

show

PLeathen posted this 11 March 2009


The Authenticated Users group is by default in the Pre-Windows 2000 Compatible Access group, I do not make any changes to this and just leave it as is. The Security group is not a member of any other groups.

show

jkrabacher3 posted this 11 March 2009

So just to clarify you're saying that the Authenticated Users group is not a member of Pre-Windows 2000 Compatible Access and there are no other members in that group either? Is the security group for your delegates a member of any other group?

show

PLeathen posted this 11 March 2009


When I initially created the ability for our support users to rename computer objects in certain OUs I ran the script with my domain admin account to create the delegation. I actually delegate the computer rename ability permission to a security group that I have created and add those members I wish to have this ability, so I've never tried this with Authenticated Users, though I don't see why this shouldn't work.



I don't add anyone to the Pre-Windows 2000 Compatible Access group.

show

jkrabacher3 posted this 11 March 2009

I did ask them that. The answer is that code is written in such a way that the account's rights are checked against the Builtin container, the domain head, and the Pre-Windows 2000 Compatible Access group. No one there could answer why it is that way but they did pose the question to their product development team. They're not sure if they'll get an answer from them or not. I was trying to get them to issue a hotfix for it. :)

show

jkrabacher3 posted this 11 March 2009

Hi Patrick,
Is the account you run the script under or the Authenticated Users group a member of the Pre-Windows 2000 Compatible Access group?

John

show

PLeathen posted this 11 March 2009


This is a script that I found that will delegate the correct permissions to rename a machine in a domain. This script will delegate only those permissions that are required to change the computer name to members of a security group.



dsacls "ou=Computers,ou=Domain,dc=Com,dc" /I:S /G "<SecurityGroupName>":WS;"Validated write to DNS host name";computer

dsacls "ou=Computers,ou=Domain,dc=Com,dc " /I:S /G "<SecurityGroupName>":WS;"Validated write to service principal";computer

dsacls "ou=Computers,ou=Domain,dc=Com,dc " /I:S /G "<SecurityGroupName>":CA;"Reset Password";computer

dsacls "ou=Computers,ou=Domain,dc=Com,dc " /I:S /G "<SecurityGroupName>":WP;"Account Restrictions";computer

dsacls "ou=Computers,ou=Domain,dc=Com,dc " /I:S /G "<SecurityGroupName>":WP;"sAMAccountName";computer



Hope this is may help...

show

listmail posted this 11 March 2009

Your predecessors were locking the directory down. A good goal.

Ask MSFT what exactly pre-2K group is giving access to that makes this work.
May be a good idea to just delegate that specific right. Likely it is read
to some specific property of the computer.


--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm





show

jkrabacher3 posted this 11 March 2009

I got this worked out with MS. The problem was that the account I was using to rename the computer wasn't a member of the AD group 'Pre-Windows 2000 Compatible Access.' Normally this isn't a problem since 'Authenticated Users' is typically in this group but at some point in time one of my predecessors removed this and all other groups from it. Once I added the account I was using I was able to do the rename.

Thanks for all the suggestions.

John

show

gabriel/tfi posted this 08 March 2009

Hi John,



thanks for your input, I was not aware about the rename capability from
System Properties, disjoining/rejoining is not a “rename” indeed (probably
I’m stuck with old NT4.0 behaviour).

Computer join is just part of our machine build process [1] and when it
rarely happens joined machine needs to be renamed we just use netdom
(usually runned within a highly privileged user context).



Have you tried with netdom just to test an alternate method?

Also, have you looked at DC event log – Security to see if you get any
access denied for certain write privilege?



Regards – Gabriele.



[1] just for the sake of the discussion, the service account used to join
computers has the following permissions:

Apply onto: Computer Objects

Read Account Restrictions - ALLOW

Write Account Restrictions - ALLOW

Validated Write to Service Principal name - ALLOW

Validated Write to DNS Host Name - ALLOW

Reset Password - ALLOW

show

robertsingers posted this 08 March 2009

I've never been able to sucessfully perform a rename via scripting. Either I could get the computer to rename or the computer object in AD, but somehow not both. I took to just calling netdom from scripts.

show

jkrabacher3 posted this 06 March 2009

Hi Mark,
I get the same Access Denied error when running this command.

I've got a ticket open with MS. The tech I was working with yesterday delegated a group exactly as I had and was able to do it so there's something else going on.

John

show

CrawfordS posted this 05 March 2009

Fyi - You can skip all reboots except the last one.

show

gabriel/tfi posted this 05 March 2009

I don’t think you can do that from SysProperties, you need to unjoin, rename
and re-join with two or three restarts….

Use netdom or scripting (e.g. Rename Method of the Win32_ComputerSystem WMI
Class) if you want to rename in a single shot.



Regards – Gabriele.

show

PARRIS posted this 05 March 2009

netdom renamecomputer machine /newname:newcomputername /userd:domainname\administratorid /passwordd:* /usero:local_admin
/passwordo:* /reboot: 6 (seconds before automatic reboot)



Regards,

Mark Parris

[ADUG] UK Active Directory User Group http://adug.co.uk

show

jkrabacher3 posted this 05 March 2009

Hi Gabriele,
I'm just doing it through System Properties>Computer Name on the XP workstation.

Thanks,
John

show

gabriel/tfi posted this 05 March 2009

How do you rename computer joined to AD? Netdom? – Gabriele.

show

CrawfordS posted this 05 March 2009

That does sound odd. This doesn't apply specifically to your situation,
but it might point you in the right direction.



I have a startup script that tells computers to rename themselves. In
order for this to work, I grant Self the following permissions on
computer objects. I'm pretty sure some of the default perms are also
required, but the two below are the only ones I've had to add. The meat
of the script is below.



Write Computer name (pre-Windows 2000)

Write Account Restrictions



------begin------

Set colComputers = objWMIService.ExecQuery _

("Select * from Win32_ComputerSystem")



For Each objComputer in colComputers

err = objComputer.Rename(strServiceTag)

Next

------end------

show

Close