A
Wed Dec 05 09:42:30 PST 2007
On Dec 5, 11:40 am, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net> wrote:
> "A.D.D" <thegosch...@gmail.com> wrote in message
>
> news:c396f10d-ef1a-4700-b201-c07432063281@o6g2000hsd.googlegroups.com...
>
>
>
>
>
> > On Dec 4, 4:16 pm, "Richard Mueller [MVP]" <rlmueller-
> > nos...@ameritech.nospam.net> wrote:
> >> "A.D.D" <thegosch...@gmail.com> wrote in message
>
> >>news:eeb4ff57-91ab-4009-825d-dd7165051f08@x69g2000hsx.googlegroups.com...
>
> >> > On Dec 4, 2:05 pm, "Richard Mueller [MVP]" <rlmueller-
> >> > nos...@ameritech.nospam.net> wrote:
> >> >> "Richard Mueller [MVP]" <rlmueller-nos...@ameritech.nospam.net> wrote
> >> >> in
> >> >> messagenews:%23Yj9YMqNIHA.1188@TK2MSFTNGP04.phx.gbl...
>
> >> >> > "A.D.D" <thegosch...@gmail.com> wrote in message
> >> >> >news:e34d22a1-5086-4d7b-96a6-49de15ba952c@j44g2000hsj.googlegroups.com...
> >> >> >> Hey All!
>
> >> >> >> When creating a new computer object, we change the 'users/group can
> >> >> >> join this computer to a domain' option from 'Domain Admins' to
> >> >> >> 'Authenticated Users'.
>
> >> >> >> I'm trying to accomplish it with a script as shown below. If I
> >> >> >> leave
> >> >> >> out the defaultgroup line, the object gets created. When run with
> >> >> >> the
> >> >> >> defaultgroup I get an error - a constraint violation occurred. Am I
> >> >> >> using the correct attribute ('defaultGroup') to accomplish this and
> >> >> >> if
> >> >> >> so how do I fix it? If not, which attribute do I use?
>
> >> >> ...<snip>
>
> >> >> > First, I would suggest not assigning a value to the
> >> >> > userAccountControl
> >> >> > attribute. The value 4096 means a computer account, which may be OK,
> >> >> > but
> >> >> > the default value when a computer object is created is 4128, which
> >> >> > means a
> >> >> > computer account and no password required. I don't know why that
> >> >> > value
> >> >> > is
> >> >> > used, but I would not mess with the default.
>
> >> >> > Next, there is no attribute called "defaultGroup". In fact, when you
> >> >> > select a user or group to join the computer to the domain, no
> >> >> > attributes
> >> >> > of the computer object are modified. Instead, a few ACE's are added
> >> >> > to
> >> >> > the
> >> >> > DACL of the computer object. Specifically, the designated user or
> >> >> > group
> >> >> > are given the following permissions:
>
> >> >> > ADS_RIGHT_DS_WRITE_PROP for SchemaIDGuid:
> >> >> > {4C164200-20C0-11D0-A768-00AA006E0529}
> >> >> > ADS_RIGHT_DS_SELF for SchemaIDGuid:
> >> >> > {F3A64788-5306-11D1-A9C5-0000F80367C1}
> >> >> > ADS_RIGHT_DS_SELF for SchemaIDGuid:
> >> >> > {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}
> >> >> > ADS_RIGHT_DS_CONTROL_ACCESS for SchemaIDGuid:
> >> >> > {00299570-246D-11D0-A768-00AA006E0529}
>
> >> >> > I would have to experment with adding these ACE's to the DACL for
> >> >> > the
> >> >> > computer object. First I would search for documentation to confirm
> >> >> > that
> >> >> > this is the correct approach.
>
> >> >> I was unable to find documentation on this. I was hoping a command
> >> >> line
> >> >> tool
> >> >> like netdom could be used. Maybe someone else knows. Otherwise, the
> >> >> details
> >> >> of the 4 ACE's added to the DACL of the computer object are:
>
> >> >> Trustee: MyDomain\User_Or_Group
> >> >> AceFlags : 0
> >> >> AceType : 5
> >> >> Flags : 1
> >> >> ObjectType: {4C164200-20C0-11D0-A768-00AA006E0529}
> >> >> AccessMask: 32
> >> >> ADS_RIGHT_DS_WRITE_PROP for SchemaIDGuid:
> >> >> {4C164200-20C0-11D0-A768-00AA006E0529}
>
> >> >> Trustee: MyDomain\User_Or_Group
> >> >> AceFlags : 0
> >> >> AceType : 5
> >> >> Flags : 1
> >> >> ObjectType: {F3A64788-5306-11D1-A9C5-0000F80367C1}
> >> >> AccessMask: 8
> >> >> ADS_RIGHT_DS_SELF for SchemaIDGuid:
> >> >> {F3A64788-5306-11D1-A9C5-0000F80367C1}
>
> >> >> Trustee: MyDomain\User_Or_Group
> >> >> AceFlags : 0
> >> >> AceType : 5
> >> >> Flags : 1
> >> >> ObjectType: {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}
> >> >> AccessMask: 8
> >> >> ADS_RIGHT_DS_SELF for SchemaIDGuid:
> >> >> {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}
>
> >> >> Trustee: MyDomain\User_Or_Group
> >> >> AceFlags : 0
> >> >> AceType : 5
> >> >> Flags : 1
> >> >> ObjectType: {00299570-246D-11D0-A768-00AA006E0529}
> >> >> AccessMask: 256
> >> >> ADS_RIGHT_DS_CONTROL_ACCESS for SchemaIDGuid:
> >> >> {00299570-246D-11D0-A768-00AA006E0529}
>
> >> >> where the trustee MyDomain\User_Or_Group is the NetBIOS name of the
> >> >> domain
> >> >> and the NT name of the user or group. Documentation for assigning
> >> >> extended
> >> >> rights like this in scripts is found here:
>
> >> >>
http://www.microsoft.com/technet/scriptcenter/topics/security/exright...
>
> >> >> I have used VBScript programs to assign permissions like this, but not
> >> >> these
> >> >> specific ones.
>
> >> >> --
> >> >> Richard Mueller
> >> >> Microsoft MVP Scripting and ADSI
> >> >> Hilltop Lab -
http://www.rlmueller.net
> >> >> --- Hide quoted text -
>
> >> >> - Show quoted text -
>
> >> > Thanks for the info Richard.
> >> > I newer than new when it comes to the inner workings of AD and
> >> > scripting. It is all Greek to me.
> >> > If I understand correctly, I must use all 4 of the ACE's. I found some
> >> > additional info at
> >> >
http://www.activexperts.com/activmonitor/windowsmanagement/adminscrip...
> >> > which may help me.
>
> >> > Thanks Again
>
> >> Your link confirms what I found by reading the DACL (with a script). The
> >> code under "Creating a Computer Account for a User" grants a few more
> >> permissions, but I don't think that hurts. The values for AceFlags,
> >> AceType,
> >> Flags, ObjectType, and AccessMask match what I found. Don't be alarmed.
> >> This
> >> is pretty advanced stuff, but I would expect the code to work. Just
> >> substitute your values for strComputer (the NetBIOS name of the computer)
> >> and strComputerUser (the NetBIOS name of the domain, a backslash, and the
> >> "pre-Windows 2000 logon name" of the user or group). Also, you would
> >> modify
> >> the binding string for objContainer (if desired) to place the new
> >> computer
> >> object in the container/OU you want.
>
> >> If you want to grant permissions to the "Authenticated Users" group
> >> rather
> >> than a specific user, the trustee would be:
>
> >> "NT Authority\Authenticated Users"
>
> >> since it is an implicit group. You could also grant these permissions to
> >> a
> >> domain global group you create, or even to Domain Users.
>
> >> --
> >> Richard Mueller
> >> Microsoft MVP Scripting and ADSI
> >> Hilltop Lab -
http://www.rlmueller.net
> >> --- Hide quoted text -
>
> >> - Show quoted text -
>
> > I edited the script from the link "Creating a Computer Account for a
> > User". I substituted myinfo...
>
> > strComputer = "ZZZtest"
>
> > I also created another variable strOU that holds our domain structure
> > "OU=, OU=, OU= etc"
>
> > for strComputerUser I have attempted the following....(with both "\" &
> > "/")
>
> > strComputerUser = "my.domain.com\NT Authority\Authenticated Users"
>
> > strComputerUser = "my.domain.com\Authenticated Users"
>
> > strComputerUser = "my.domain.com\<my login>" as I have rights to add
> > to the domain.
>
> > I noticed that when I create a computer manually in ADUC and I change
> > the Default from Domain Admins to Authenicated Users, that the
> > Authenicated Users textbox resolves out to ....
>
> > "my.domain.com/Configuration/WellKnown Security Principals/
> > Authenticated Users"
>
> > so I have also tried that as strComputerUser.
>
> > Each time I run the script, the computer object is created but I get
> > an error at the line ...
>
> > objComputer.Put "ntSecurityDescriptor", objSecurityDescriptor
>
> > stating that "The security ID structure is invalid"
>
> > I'm Stumped!!!!!!!!!!
>
> When I enumerate the ACE's in a DACL I see the trustee:
>
> NT Authority\Authenticated Users
>
> with no mention of the domain name. Are you saying that does not work?
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab -
http://www.rlmueller.net
> --- Hide quoted text -
>
> - Show quoted text -
Thanks for your assistance on this Richard.
Here's my code . All other code in the script is untouched. As I
mentioned, the object gets created. I have also tried using
"our.domain/NT Authority/Authenticated Users" but I always get the
Invalid ID structure. Is there a way to pull the trustee info from a
current computer and use that info? Is it possible that our Domain
Gods have some sort of security in place to prevent what I am
attempting?
NOTE:The physical computers do not exist yet. I'm preparing for a life-
cycle equipment change and thought that it would be easier to script
the computer creation in AD as opposed to hand-jammin' them.
strComputer = "ZZZtest"
strComputerUser = "NT Authority/Authenticated Users"
strOU = "OU=M........t, OU=M........ot, OU=W...........s, OU=N......t,
OU=L......s ,"
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & strOU &
objRootDSE.Get("defaultNamingContext"))
Set objComputer = objContainer.Create("Computer", "cn=" & strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "Description", "THIS IS A TEST"