none
[Prestaging Computer] [AD Delegation] How to prestage a computer in AD with an account Domain User only (command line) RRS feed

  • Question

  • hello,

    the goal is to prestage Computers in Active Directory, but the used account is only Domain User.

    in DSA console, with an account allowed to create Computer objects in AD, i can create a computer object and change the account or the group who will be join the computer to domain


    with this, it works fine.

    But, when i want to perform the same action in command line. it's not working. 

    see the script (powershell) : 

    #Create the computer object 
    New-QADComputer -Credential $cred -Description "Test AutoAdd Prestage" -name $cpuName -ParentContainer "domain.blabla.com/LAB/Computers" -service $DC
    
    #Change ACL of newly created computer object
    $DelegatedGroup = "DomainName\AccountWithNoRights"
    $Object = "ThisObjectOnly"
    
    # Write Account Restrictions
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'ReadProperty,WriteProperty' -PropertySet 'User-Account-Restrictions'
    
    # Validated to write Service Principal 
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -ValidatedWrite 'Validated-SPN'
    
    #  Validated write to write to DNS host name
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -ValidatedWrite 'Validated-DNS-Host-Name'
    
    # Write SAMAccountName
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -Property 'SAMAccountName'
    
    # Write DisplayName
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -Property 'DisplayName'
    
    # Write Description
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -Property 'Description'
    
    # Write Logon Information
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -PropertySet 'User-Logon'
    
    # Delete
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'Delete'
    
    # Delete Subtree
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'Deletetree'
    
    
    # Allow to authenticate
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Extendedright 'Allowed-To-Authenticate'
    
    #  Change Password
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Extendedright 'User-Change-Password'
    
    # Reset Password
    Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Extendedright 'User-Force-Change-Password'
    
    

    Does anyone has tried to prestage Computers in AD with an account only Domain User, without any other delegation  in Command line and not with DSA Console ?

    thanks for your help

    regards

    Alexandre


    mercredi 7 janvier 2015 09:45