AD Delegation Issue - Computer Objects

Mike R. · Guest

Hi there,

I'm trying to delegate control over computer objects in an OU structure in
my domain. My issue began with delegating the ability to add computers to
the domain, but has morphed a little. For the purpose of this post, I'll
call the OU "Standard Computers".

I've successfully delegated the ability to create machines and add them to
the domain by following the instructions in Q article 329195. A user of my
delegated group can create a computer object, go to the physical PC, log in
as an administrator, and join it to the domain using their credentials.

However, if a computer object is created by any other user, I receive an
error when I attempt to join it to the domain. The exact error is:

Computer Name Changes

The following error occurred attempting to join the domain "mydomain":

Access is denied.

If possible, I would like to refrain from delegating more control than is
necessary over this computer OU structure. The goal is to allow a global
group complete control over computer objects in this OU without allowing them
to create other types of objects - users, groups, etc.

I appreciate any input you can provide. Thanks!
Mike

Jorge de Almeida Pinto [M · Guest

see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------

-----------------------------------------------------------------------------
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:6F8AC060-1CC9-43AC-B67C-0B8E05A72D71@microsoft.com...

Mike R. · Guest

Good information, thanks. I'm still having some issues, but you put me on
the right track there.

Without modifying the directory, I'm working on delegating control to
Create, Delete, Modify, and Move computer objects within an OU tree. It's
not easy to delegate that without giving out rights to a lot more - if anyone
has all the rights related to just computer accounts documented, I'd love to
see it. I've done quite a bit of searching and haven't found it yet.

Thanks!

neo [mvp outlook] · Guest

I use this template in the delegwiz.inf file. It does not permit the junior
admin from checking the box labeled "Trust computer for delegation", but
they should be able to Create, Delete, Rename (modify), and move things
around w/out issue.

;----------------------------------------------------------
[template180]
AppliesToClasses=organizationalUnit

Description = "Create, delete, and manage computer accounts"

ObjectTypes = SCOPE, computer

[template180.SCOPE]
computer=CC,DC

[template180.computer]
CONTROLRIGHT= "Reset Password"
@=WP
;----------------------------------------------------------

"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:336E615E-4673-40F8-A8EC-70EE33EF2262@microsoft.com...