locked
Modify ACL for Computer Object RRS feed

  • Question

  • I have to modify the SELF account permissions on all of our SCCM servers to contain the following parameters:

    SELF: 
    Create All Child Objects Delete All Child Objects
    Validated write to DNS host name
    Validated write to service principal name
    Read Personal Information
    Write Personal Information

    Is it possible to do this via the set-acl cmdlet, or is there some other way to automate?

    Regards,
    Brian

    Friday, September 21, 2012 9:24 PM

Answers

  • Hello jrv,

    This issue began to appear for my SCCM admin after we introduced AD 2008 R2 into the environment at the beginning of this past summer.  He came across the following article and after testing the recommended steps was able to resolve the issue.

    http://support.microsoft.com/kb/2009647

    Also, I just completed an AD RAP with Microsoft Professional Services last month and scored very high marks for the health of my AD environment and still do not see any issues pop up when running the RAP tool.

    • Marked as answer by Bill_Stewart Saturday, November 24, 2012 2:25 PM
    Monday, September 24, 2012 10:31 PM

All replies

  • What child objects does an SCCM computer have.  Crete all cjild objects only applies to children of the computer accouont.  Computer accoutns seldom have children.  One deviation from that is an MSMQ or  a Printer queue.  These are children of treh computer but they are also created bu=y defult by teh computer account becisue a computer account can create children.  If the child is a printer or a message queue this installer for hese is automatically creating them as a child.  This right is inherent so why would you think you need to alter it?

    I suspect that your idea that you need to do this is becuase something else is wrong. Perhaps someone else has altered global permissions on AD objects causing a computer account to fail to create objects that are rightfully children.  Tis right does not come from teh security setting you are asking to change.  Teh caanges you are asking for affect an obejcts rights over al of AD and are not needed for an object to manage itself.

    I can create shares, print and message queues on any computer in a doamin without altering this setting.  Why would you need to? By default all computer objects have teh right to create all child objects.  Why is this not true in your domain?  Start be fixing this before you start altering things.  This right must be propagated to new objects. If that has not happened or is not happening you need to figure out why.  Just fudging thsi may well get you into much bigger problems as you move forward.

    Why is this right missing?  Suspect a roguew admin or a malicious user then look for someone who is just guessing at how things work.  You must fix the underlying cause.


    ¯\_(ツ)_/¯

    Friday, September 21, 2012 10:46 PM
  • Hello jrv,

    This issue began to appear for my SCCM admin after we introduced AD 2008 R2 into the environment at the beginning of this past summer.  He came across the following article and after testing the recommended steps was able to resolve the issue.

    http://support.microsoft.com/kb/2009647

    Also, I just completed an AD RAP with Microsoft Professional Services last month and scored very high marks for the health of my AD environment and still do not see any issues pop up when running the RAP tool.

    • Marked as answer by Bill_Stewart Saturday, November 24, 2012 2:25 PM
    Monday, September 24, 2012 10:31 PM
  • Hello jrv,

    This issue began to appear for my SCCM admin after we introduced AD 2008 R2 into the environment at the beginning of this past summer.  He came across the following article and after testing the recommended steps was able to resolve the issue.

    http://support.microsoft.com/kb/2009647

    Also, I just completed an AD RAP with Microsoft Professional Services last month and scored very high marks for the health of my AD environment and still do not see any issues pop up when running the RAP tool.


    Two year old article!

    No need to script the solution.  It is a one-off solution.

    This issue was resolved by subsequent service pack/patch.

    I can see no reason why your request and this article are in any way related.


    ¯\_(ツ)_/¯

    Tuesday, September 25, 2012 4:48 AM