none
DSADD, setting securities on pre-staged accounts

    Question

  • I need to pre-stage 100's of computer accounts into a specified OU, which I can do via batch file, lines of which may be;

    dsadd computer "cn=client01,OU=In Build,OU=IT,dc=mydomain,dc=co,dc=uk"

    dsadd computer "cn=client02,OU=In Build,OU=IT,dc=mydomain,dc=co,dc=uk"

    dsadd computer "cn=client03,OU=In Build,OU=IT,dc=mydomain,dc=co,dc=uk"

     

    etc

     

    If I did this one by one via the gui I can specify "user or group who can join this computer to the domain". Is there such a parameter within DSADD?

    thanks

    Friday, November 23, 2012 12:07 PM

Answers

  • Hello,

    You can not set this option with dsadd command.

    For example, you can use dsacls command:

    dsadd computer <ComputerDN> dsacls <ComputerDN> /G <UserOrGroup>:CALCGRSDDTRC;; dsacls <ComputerDN> /G <UserOrGroup>:WP;description; dsacls <ComputerDN> /G <UserOrGroup>:WP;sAMAccountName; dsacls <ComputerDN> /G <UserOrGroup>:WP;displayName; dsacls <ComputerDN> /G <UserOrGroup>:WP;userAccountControl; dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to service principal\name"; dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to DNS host name";

    More info about Dsacls:

    How to Use Dsacls.exe in Windows Server 2003 and Windows 2000

    OR

    You can add this template to delegwiz.inf file and give delegation permission to specific user or group to join client to domain (by default every user can join 10x client to domain):

    [template6] 
    AppliesToClasses=domainDNS,organizationalUnit,container
    
    Description="Join Client to Domain"
    
    ObjectTypes=SCOPE,computer
     
    [template6.SCOPE]
    computer=CC
     
    [template6.computer]
    CONTROLRIGHT="Validated write to DNS host name","Account Restrictions","Reset Password","Validated write to service principal name"

    More info about delewiz.inf +70x template:

    Appendix O: Active Directory Delegation Wizard File

    Regards




    • Edited by Patris_70 Friday, November 23, 2012 12:52 PM link
    • Proposed as answer by Santhosh Sivarajan-MVP Saturday, November 24, 2012 3:28 PM
    • Marked as answer by aerb_uk Monday, November 26, 2012 3:00 PM
    Friday, November 23, 2012 12:48 PM

All replies

  • Hi,

    There doesnt seems to be any switch in DSADD to specify the user who can add it to domain.

    You can use DSACLS to set the permissio after the accounts are created
    http://support.microsoft.com/default...b;en-us;281146

    Friday, November 23, 2012 12:42 PM
  • Hello,

    You can not set this option with dsadd command.

    For example, you can use dsacls command:

    dsadd computer <ComputerDN> dsacls <ComputerDN> /G <UserOrGroup>:CALCGRSDDTRC;; dsacls <ComputerDN> /G <UserOrGroup>:WP;description; dsacls <ComputerDN> /G <UserOrGroup>:WP;sAMAccountName; dsacls <ComputerDN> /G <UserOrGroup>:WP;displayName; dsacls <ComputerDN> /G <UserOrGroup>:WP;userAccountControl; dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to service principal\name"; dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to DNS host name";

    More info about Dsacls:

    How to Use Dsacls.exe in Windows Server 2003 and Windows 2000

    OR

    You can add this template to delegwiz.inf file and give delegation permission to specific user or group to join client to domain (by default every user can join 10x client to domain):

    [template6] 
    AppliesToClasses=domainDNS,organizationalUnit,container
    
    Description="Join Client to Domain"
    
    ObjectTypes=SCOPE,computer
     
    [template6.SCOPE]
    computer=CC
     
    [template6.computer]
    CONTROLRIGHT="Validated write to DNS host name","Account Restrictions","Reset Password","Validated write to service principal name"

    More info about delewiz.inf +70x template:

    Appendix O: Active Directory Delegation Wizard File

    Regards




    • Edited by Patris_70 Friday, November 23, 2012 12:52 PM link
    • Proposed as answer by Santhosh Sivarajan-MVP Saturday, November 24, 2012 3:28 PM
    • Marked as answer by aerb_uk Monday, November 26, 2012 3:00 PM
    Friday, November 23, 2012 12:48 PM