[Prestaging Computer] [AD Delegation] How to prestage a computer in AD with an account Domain User only (command line)

• Question

• 

  

  1

  Connectez-vous pour voter

  hello,

  the goal is to prestage Computers in Active Directory, but the used account is only Domain User.

  in DSA console, with an account allowed to create Computer objects in AD, i can create a computer object and change the account or the group who will be join the computer to domain

  
  

  with this, it works fine.

  But, when i want to perform the same action in command line. it's not working. 

  see the script (powershell) : 

  #Create the computer object 
  New-QADComputer -Credential $cred -Description "Test AutoAdd Prestage" -name $cpuName -ParentContainer "domain.blabla.com/LAB/Computers" -service $DC
  
  #Change ACL of newly created computer object
  $DelegatedGroup = "DomainName\AccountWithNoRights"
  $Object = "ThisObjectOnly"
  
  # Write Account Restrictions
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'ReadProperty,WriteProperty' -PropertySet 'User-Account-Restrictions'
  
  # Validated to write Service Principal 
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -ValidatedWrite 'Validated-SPN'
  
  #  Validated write to write to DNS host name
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -ValidatedWrite 'Validated-DNS-Host-Name'
  
  # Write SAMAccountName
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -Property 'SAMAccountName'
  
  # Write DisplayName
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -Property 'DisplayName'
  
  # Write Description
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -Property 'Description'
  
  # Write Logon Information
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'WriteProperty' -PropertySet 'User-Logon'
  
  # Delete
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'Delete'
  
  # Delete Subtree
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Rights 'Deletetree'
  
  
  # Allow to authenticate
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Extendedright 'Allowed-To-Authenticate'
  
  #  Change Password
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Extendedright 'User-Change-Password'
  
  # Reset Password
  Add-QADPermission -Account $DelegatedGroup -ApplyTo $Object -Credential $Cred -Identity $cpuName -Extendedright 'User-Force-Change-Password'
  
  

  Does anyone has tried to prestage Computers in AD with an account only Domain User, without any other delegation  in Command line and not with DSA Console ?

  thanks for your help

  regards

  Alexandre

  
  

  • Déplacé Boris Ivanov _ mercredi 7 janvier 2015 10:32

  mercredi 7 janvier 2015 09:45

  Réponse

  |

  Citation