DSADD COMPUTER - Doesn't work right!

Tutorials Win: Microsoft Windows Forum

I set up a group and gave it the following access to an OU. When I
manually add a computer account to the OU, users in the group can go
to that computer and add it to the domain. However, if I use DSADD
COMPUTER to add it (and include the "-samid" to make sure it matches
the CN) - they get an access denied! Everything looks exactly the same
between when it is created manually vs. when it is created with DSADD,
but for some reason they cannot add it if I make the account with
DSADD. If I delete and recreate it in ADUC, it works no problem.

What's going on here?!?!?!

Thanks.

- JayDee
Top

Re: DSADD COMPUTER - Doesn't work right! by JayDee

JayDee
Fri Mar 28 00:52:48 PDT 2008

On Mar 28, 12:16=A0am, JayDee <dopam...@mail.com> wrote:
> I set up a group and gave it the following access to an OU. When I
> manually add a computer account to the OU, users in the group can go
> to that computer and add it to the domain. However, if I use DSADD
> COMPUTER to add it (and include the "-samid" to make sure it matches
> the CN) - they get an access denied! Everything looks exactly the same
> between when it is created manually vs. when it is created with DSADD,
> but for some reason they cannot add it if I make the account with
> DSADD. If I delete and recreate it in ADUC, it works no problem.
>
> What's going on here?!?!?!
>
> Thanks.
>
> - JayDee

Not that this matters since when I create the computer manually with
all else the same, I have assigned the following rights to the group
in which the admins are a member at the OU level where the computer
accounts are being created:

(for computer objects:)
Allowed to Authenticate
Change Password
Receive As
Reset Password
Send As
Validated write to DNS host name
Validatad write to service principal name

I don't think this is required, but I also have:
R/W all properties
R/M all permissions
M owner
All Validated Writes
All Extended Rights

So... I'm looking forward to an explaination for this weirdness with
such a basic command like DSADD. Thanks again.

- JayDee
Top

Re: DSADD COMPUTER - Doesn't work right! by Richard

Richard
Fri Mar 28 11:14:12 PDT 2008


"JayDee" <dopamine@mail.com> wrote in message
news:f201c9e8-51e3-4326-9ef4-a0b322d579d9@a1g2000hsb.googlegroups.com...
>I set up a group and gave it the following access to an OU. When I
> manually add a computer account to the OU, users in the group can go
> to that computer and add it to the domain. However, if I use DSADD
> COMPUTER to add it (and include the "-samid" to make sure it matches
> the CN) - they get an access denied! Everything looks exactly the same
> between when it is created manually vs. when it is created with DSADD,
> but for some reason they cannot add it if I make the account with
> DSADD. If I delete and recreate it in ADUC, it works no problem.
>
> What's going on here?!?!?!
>
> Thanks.
>
> - JayDee

The sAMAccountName you assign with the samid parameter must have a trailing
"$" appended. For example, if the value of the cn attribute is "wst201",
then the value of sAMAccountName should be "wst201$". I believe the object
is not recognized as a computer object without the trailing "$" character.
The NetBIOS name of the object will be "wst201", the value of sAMAccountName
with the trailing "$" stripped off.

I also see from the documentation for dsadd that if you do not specify
samid, it defaults to a value based on the Common Name, which is undoubtedly
the value of cn with a trailing "$" added, just as you want.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Top

Re: DSADD COMPUTER - Doesn't work right! by JayDee

JayDee
Fri Mar 28 15:12:42 PDT 2008

On Mar 28, 11:14=A0am, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net> wrote:
> "JayDee" <dopam...@mail.com> wrote in message
>
> news:f201c9e8-51e3-4326-9ef4-a0b322d579d9@a1g2000hsb.googlegroups.com...
>
> >I set up a group and gave it the following access to an OU. When I
> > manually add a computer account to the OU, users in the group can go
> > to that computer and add it to the domain. However, if I use DSADD
> > COMPUTER to add it (and include the "-samid" to make sure it matches
> > the CN) - they get an access denied! Everything looks exactly the same
> > between when it is created manually vs. when it is created with DSADD,
> > but for some reason they cannot add it if I make the account with
> > DSADD. If I delete and recreate it in ADUC, it works no problem.
>
> > What's going on here?!?!?!
>
> > Thanks.
>
> > - JayDee
>
> The sAMAccountName you assign with the samid parameter must have a trailin=
g
> "$" appended. For example, if the value of the cn attribute is "wst201",
> then the value of sAMAccountName should be "wst201$". I believe the object=

> is not recognized as a computer object without the trailing "$" character.=

> The NetBIOS name of the object will be "wst201", the value of sAMAccountNa=
me
> with the trailing "$" stripped off.
>
> I also see from the documentation for dsadd that if you do not specify
> samid, it defaults to a value based on the Common Name, which is undoubted=
ly
> the value of cn with a trailing "$" added, just as you want.
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab -http://www.rlmueller.net
> --

that's interesting... but when I didn't specify the -SAMID, the "pre-
windows 2000" netbios name only came up as 14 characters - the 15th
character that showed up in the fully-qualified name dropped off...
weird since 15 characters is the limit for a netbios name and when I
created it through ADUC, the 15th character didn't drop off, which
allowed the computer to be added...

- JayDee
Top