locked
Active Directory computer account rename permission RRS feed

  • Question

  • Hi,

      I'm using Active directory 2008 domain setup.. I have given the help-desk support to team to delegation permission to join computer account to domain. I've given following permission to our team.

    =======================================

    validated write to dns host name

    reset password

    validated write to service principal 

    read account restriction

    write account restriction

    create computer objects

    delete computer objects

    =======================================

     

    if they want to rename any computer account in the domain they can't . when they to tried to rename support team getting below error.

     

    The following error occurred attempting to rename the computer to "computer account name"  : access denied.

     

    Anyone which permission should i give, please let me know. 

     

     


    Aucsna
    Sunday, February 5, 2012 7:57 AM

Answers

  • Hello,

     

    As a additional info:

    You can add more template to your delegwiz.inf file.

    Go to the directory %windir%\Inf (in windows Server 2008 or later %windir%\system32) and copy delegwiz.inf file from here to your delegwiz.inf file (you must have permission to change and save this file).

    For Rename a computer account, use template 35.

     

    Regards

    • Proposed as answer by Lain Robertson Sunday, February 5, 2012 12:42 PM
    • Marked as answer by Yan Li_ Monday, February 6, 2012 8:35 AM
    Sunday, February 5, 2012 12:09 PM
  • Hi,

    To rename a computer account, you need to give the right "write all properties" on the computer object to the specified group/account.

    Start looking here : http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/3e0128f0-cbdc-457e-8580-504d0053dacd


    Bechir Gharbi | http://myitforum.com/myitforumwp/community/members/bgharbi/ | Time zone : GMT+1
    • Proposed as answer by Patris_70 Sunday, February 5, 2012 12:09 PM
    • Marked as answer by Yan Li_ Monday, February 6, 2012 8:33 AM
    Sunday, February 5, 2012 8:44 AM
  • The best part about Patris' is that it's easy, however much as with delegating "write all properties" it allows the delegate to potentially change too much.

    I'd recommend changing the "@=WP" in Template 35 to be the following - which you can also see correctly specified in Template 45:

    • cn=WP
    • name=WP
    • distinguishedName=WP

    This provides a better level of security insofar as it's exactly what was asked for - no more, no less: the ability to rename the computer.

    Cheers,
    Lain

    • Proposed as answer by Patris_70 Sunday, February 5, 2012 3:02 PM
    • Marked as answer by Yan Li_ Monday, February 6, 2012 8:35 AM
    Sunday, February 5, 2012 1:20 PM

All replies

  • Hi,

    To rename a computer account, you need to give the right "write all properties" on the computer object to the specified group/account.

    Start looking here : http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/3e0128f0-cbdc-457e-8580-504d0053dacd


    Bechir Gharbi | http://myitforum.com/myitforumwp/community/members/bgharbi/ | Time zone : GMT+1
    • Proposed as answer by Patris_70 Sunday, February 5, 2012 12:09 PM
    • Marked as answer by Yan Li_ Monday, February 6, 2012 8:33 AM
    Sunday, February 5, 2012 8:44 AM
  • Hello,

    please see: http://support.microsoft.com/kb/932455


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Proposed as answer by Patris_70 Sunday, February 5, 2012 12:09 PM
    Sunday, February 5, 2012 9:31 AM
  • thanks, it's work fine for me....

     

     


    Aucsna
    Sunday, February 5, 2012 11:10 AM
  • Hello,

     

    As a additional info:

    You can add more template to your delegwiz.inf file.

    Go to the directory %windir%\Inf (in windows Server 2008 or later %windir%\system32) and copy delegwiz.inf file from here to your delegwiz.inf file (you must have permission to change and save this file).

    For Rename a computer account, use template 35.

     

    Regards

    • Proposed as answer by Lain Robertson Sunday, February 5, 2012 12:42 PM
    • Marked as answer by Yan Li_ Monday, February 6, 2012 8:35 AM
    Sunday, February 5, 2012 12:09 PM
  • The best part about Patris' is that it's easy, however much as with delegating "write all properties" it allows the delegate to potentially change too much.

    I'd recommend changing the "@=WP" in Template 35 to be the following - which you can also see correctly specified in Template 45:

    • cn=WP
    • name=WP
    • distinguishedName=WP

    This provides a better level of security insofar as it's exactly what was asked for - no more, no less: the ability to rename the computer.

    Cheers,
    Lain

    • Proposed as answer by Patris_70 Sunday, February 5, 2012 3:02 PM
    • Marked as answer by Yan Li_ Monday, February 6, 2012 8:35 AM
    Sunday, February 5, 2012 1:20 PM
  • Hello,

     

    Maybe you ask us, what is WP?

    Here is info:

    CA = Control Access
    CC = Create all child Objects
    DC = Delete all Child Objects
    DT = Delete Subtree
    GA = Generic All
    GE = Generic Execute
    GR = Generic Read
    GW = Generic Write
    LC = List Contents
    LO = List Object
    RC = Read permissions
    RP = Read all Properties
    SD = Delete
    WD = Modify Permissions
    WO = Modify Owner
    WP = Write all Properties
    WS = Write Self

     

    Regards

    Sunday, February 5, 2012 3:03 PM
  • The best part about Patris' is that it's easy, however much as with delegating "write all properties" it allows the delegate to potentially change too much.

    I'd recommend changing the "@=WP" in Template 35 to be the following - which you can also see correctly specified in Template 45:

    • cn=WP
    • name=WP
    • distinguishedName=WP

    This provides a better level of security insofar as it's exactly what was asked for - no more, no less: the ability to rename the computer.

    Cheers,
    Lain

    I tried this, but it didn't work.  When I went back to review the special permissions applied, 3 items were listed, but all blank. 


    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Thursday, July 12, 2012 8:26 PM
  • Hello Mike,

    Is user member of the local Administrators group on the target computer?

    Regards

    Thursday, July 12, 2012 8:45 PM
  • That's not related.  I am saying the replacement of

    • @=WP

    with 

    • cn=WP
    • name=WP
    • distinguishedName=WP

    (no bullets)

    doesn't apply valid permissions to the container object in AD



    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Thursday, July 12, 2012 10:07 PM
  • OH, Sorry Mike.

    Please try this (I tested and worked):

    ;---------------------------------------------------------
    [template35]
    AppliesToClasses=domainDNS,organizationalUnit,container
    
    Description = "Rename a computer account"
    
    ObjectTypes = SCOPE, computer
    
    [template35.SCOPE]
    computer=CC
    
    [template35.computer]
    CONTROLRIGHT="Validated write to DNS host name","Account Restrictions","Reset Password","Validated write to service principal name"
    name=WP
    cn=WP
    dNSHostName=WP
    sAMAccountName=WP
    ;----------------------------------------------------------
    

    Also, name properties of a computer account is:

    name = RDN

    cn = CommonName

    dNSHostName = DNS Name

    sAMAccountName = Computer name (pre-Windows 2000)

    and we use this part for computer joining to domain:

    CONTROLRIGHT="Validated write to DNS host name","Account Restrictions","Reset Password","Validated write to service principal name"

    Regards

    Friday, July 13, 2012 10:50 AM
  • Thanks, I'll check this and report back.


    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Friday, July 13, 2012 2:23 PM
  • Hello,

    fantastic article! Thanks a lot!

    I'd like to add a small piece of advice: to be able to modify the template file on Windows 2008 you will need to take the ownership of it and change the NTFS permissions of it.

     Kind regards,

    Marco - StockTrader

    Friday, July 25, 2014 1:42 PM