machines and users in AD 2003 ?? Newbie...
- Hey guys,
I have set up my first small network.
I have a AD machien with DNS and DHCP on the same box. I created two users bill and bob.
I then get two other machines to join this domain XP-A and XP-B. It all works a treat, bill and bob log-on correctly and when I view the AD machines and users there they are. I can ping XP-A and XP-B from each other. All cool.
So my question is why woudl I want to add a machine manually under the "machines" tab in AD? Can i set up AD in such a way that ONLY the machines I stipulate will be able to join the domain? In my scenario above, anyone could log in as bill or bob from ANY machine right since I have not tied down the machines themselves, only the users. So these "any" machines coudl have viruses on and not subject to pour policy right?
Am I thinking correct here guys? Any reading on this subject?
Cheers and regards, Steve
Answers
Hi Kirik,
According to your description, I understand that you want to pre-create computer account in AD. If I have misunderstand you, please do not hesitate to let me know.
For your reference, The following articles might be helpful for you to manage computer accounts in AD.
HOW TO: Manage Computer Accounts in Active Directory in Windows 2000
http://support.microsoft.com/kb/320187
TechNet Library:
Understanding Computer Accounts
http://technet.microsoft.com/en-us/library/cc731641.aspx
Managing Computers
http://technet.microsoft.com/en-us/library/cc771682.aspx
By default, Authenticated Users in a domain are assigned the Add workstations to a domain user right, and they can create up to 10 computer accounts in the domain. However, you can manually deny the “Create Computer Objects” and “ Delete Computer Objects” Access Control Entries (ACEs) for the specific users or groups in AD.
For your convenience, I list the steps blow:
1. From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties.
2. Right-click the Computers container, and then click Properties.
3. On the Security tab, click Advanced.
4. On the Permissions tab, click Add and add the user group to the list of permission entries then click View/Edit.
5. Make sure the This object and all child objects option is displayed in the Apply onto box.
6. From the Permissions box, click to select the Deny check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK.
In addition, If you want to limit the user to logon the specific computers, you can go to user object’s properties in ADUC, click Account, then open the Log On to window.
Type in the computer name that you allow the user to logon.
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights.
- Marked As Answer bys.kirk500 Tuesday, October 27, 2009 3:32 PM
All Replies
Hi Kirik,
According to your description, I understand that you want to pre-create computer account in AD. If I have misunderstand you, please do not hesitate to let me know.
For your reference, The following articles might be helpful for you to manage computer accounts in AD.
HOW TO: Manage Computer Accounts in Active Directory in Windows 2000
http://support.microsoft.com/kb/320187
TechNet Library:
Understanding Computer Accounts
http://technet.microsoft.com/en-us/library/cc731641.aspx
Managing Computers
http://technet.microsoft.com/en-us/library/cc771682.aspx
By default, Authenticated Users in a domain are assigned the Add workstations to a domain user right, and they can create up to 10 computer accounts in the domain. However, you can manually deny the “Create Computer Objects” and “ Delete Computer Objects” Access Control Entries (ACEs) for the specific users or groups in AD.
For your convenience, I list the steps blow:
1. From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties.
2. Right-click the Computers container, and then click Properties.
3. On the Security tab, click Advanced.
4. On the Permissions tab, click Add and add the user group to the list of permission entries then click View/Edit.
5. Make sure the This object and all child objects option is displayed in the Apply onto box.
6. From the Permissions box, click to select the Deny check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK.
In addition, If you want to limit the user to logon the specific computers, you can go to user object’s properties in ADUC, click Account, then open the Log On to window.
Type in the computer name that you allow the user to logon.
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights.
- Marked As Answer bys.kirk500 Tuesday, October 27, 2009 3:32 PM
- Brilliant answer!!! This has filled in many blanks for me - thanks so much for your time in answering Wilson!!!
