Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
DSADD, setting securities on pre-staged accounts

Answered DSADD, setting securities on pre-staged accounts

  • Friday, November 23, 2012 12:07 PM
     
     
    Sign In to Vote
    0

    I need to pre-stage 100's of computer accounts into a specified OU, which I can do via batch file, lines of which may be;

    dsadd computer "cn=client01,OU=In Build,OU=IT,dc=mydomain,dc=co,dc=uk"

    dsadd computer "cn=client02,OU=In Build,OU=IT,dc=mydomain,dc=co,dc=uk"

    dsadd computer "cn=client03,OU=In Build,OU=IT,dc=mydomain,dc=co,dc=uk"

     

    etc

     

    If I did this one by one via the gui I can specify "user or group who can join this computer to the domain". Is there such a parameter within DSADD?

    thanks

     

All Replies

  • Friday, November 23, 2012 12:42 PM
     
     Proposed
    Sign In to Vote
    0

    Hi,

    There doesnt seems to be any switch in DSADD to specify the user who can add it to domain.

    You can use DSACLS to set the permissio after the accounts are created
    http://support.microsoft.com/default...b;en-us;281146

     
  • Friday, November 23, 2012 12:48 PM
     
     Answered Has Code
    Sign In to Vote
    0

    Hello,

    You can not set this option with dsadd command.

    For example, you can use dsacls command:

    dsadd computer <ComputerDN>
dsacls <ComputerDN> /G <UserOrGroup>:CALCGRSDDTRC;;
dsacls <ComputerDN> /G <UserOrGroup>:WP;description;
dsacls <ComputerDN> /G <UserOrGroup>:WP;sAMAccountName;
dsacls <ComputerDN> /G <UserOrGroup>:WP;displayName;
dsacls <ComputerDN> /G <UserOrGroup>:WP;userAccountControl;
dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to service principal\name";
dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to DNS host name";

    More info about Dsacls:

    How to Use Dsacls.exe in Windows Server 2003 and Windows 2000

    OR

    You can add this template to delegwiz.inf file and give delegation permission to specific user or group to join client to domain (by default every user can join 10x client to domain):

    [template6] 
AppliesToClasses=domainDNS,organizationalUnit,container

Description="Join Client to Domain"

ObjectTypes=SCOPE,computer
 
[template6.SCOPE]
computer=CC
 
[template6.computer]
CONTROLRIGHT="Validated write to DNS host name","Account Restrictions","Reset Password","Validated write to service principal name"

    More info about delewiz.inf +70x template:

    Appendix O: Active Directory Delegation Wizard File

    Regards




    • Edited by Patris_70 Friday, November 23, 2012 12:52 PM link
    • Proposed As Answer by Santhosh Sivarajan-MVP Saturday, November 24, 2012 3:28 PM
    • Marked As Answer by aerb_uk Monday, November 26, 2012 3:00 PM
    •