hello,
the goal is to prestage Computers in Active Directory, but the used account is only Domain User.
in DSA console, with an account allowed to create Computer objects in AD, i can create a computer object and change the account or the group who will be join the computer to domain
with this, it works fine.
But, when i want to perform the same action in command line. it's not working.
see the script (powershell) :
#Create the computer object
New-QADComputer -Credential $cred -Description "Test AutoAdd Prestage" -name $cpuName -ParentContainer "domain.blabla.com/LAB/Computers" -service $DC
#Change ACL of newly created computer object
$DelegatedGroup = "DomainName\AccountWithNoRights"
$Object = "ThisObjectOnly"
# Write Account Restrictions
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'ReadProperty,WriteProperty' -PropertySet 'User-Account-Restrictions'
# Validated to write Service Principal
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -ValidatedWrite 'Validated-SPN'
# Validated write to write to DNS host name
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -ValidatedWrite 'Validated-DNS-Host-Name'
# Write SAMAccountName
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -Property 'SAMAccountName'
# Write DisplayName
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -Property 'DisplayName'
# Write Description
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -Property 'Description'
# Write Logon Information
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -PropertySet 'User-Logon'
# Delete
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'Delete'
# Delete Subtree
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'Deletetree'
# Allow to authenticate
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Extendedright 'Allowed-To-Authenticate'
# Change Password
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Extendedright 'User-Change-Password'
# Reset Password
Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Extendedright 'User-Force-Change-Password'
Does anyone has tried to prestage Computers in AD with an account only Domain User, without any other delegation in Command line and not with DSA Console ?
thanks for your help
regards
Alexandre