Computer accounts in AD

[Sabir Ahmedi]

Hi,

1) I know that every user in AD can add upto 10 computer accounts. Is there
any danger in letting this happen or is it best practice to assign a
helpdesk group the ability to add computer accounts??

2) Also other than applying the GPO's to computer accounts, is there any
real reason to organize them into separate OU's?

3) Is there any way in a Windows 2003 domain to allow the computer accounts
being added to be split up and organized into pre-defined OU's?


Thanks.
Sabs.

 

[Chriss3]

Hello Sabir.

1) This depends of the environment you are in if you self se this as an risk
you should limit this feature. (Users have same rights at an existing
computer in the domain as one they have added self.)

You can how ever change this if you have Windows Server Support Tools
installed located on the Windows Server CD.

1.. Open ADSI Edit.

2.. Right-click on the domainDNS object for the domain you want to change
and select Properties.

3.. Edit the ms-DS-MachineAccountQuota attribute and enter the new quota
value.

4.. Click OK

Or use the follow script.


intQuota = <Quota>
strDomain = "<DomainDNSName>" ' e.g. chrisse.local

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objDomain = GetObject("LDAP://" &
objRootDSE.Get("defaultNamingContext"))
objDomain.Put "ms-DS-MachineAccountQuota", intQuota
objDomain.SetInfo

2) Yes for delegation.

3) Yes you can bind another default container for new computer accounts this
can be done with ldp.exe from Windows Server RESKIT and ADSI Scripting so
far I know.

 

[Chriss3]

Here is a script to change the default location for new computers.

' This code changes the default computers container.
' ------ SCRIPT CONFIGURATION ------
strNewComputersParent = "<NewComputersParent>" ' e.g. OU=RAllenCorp
Computers
strDomain = "<DomainDNSName>" ' e.g. rallencorp.com
' ------ END CONFIGURATION ---------

Const COMPUTER_WKGUID = "B:32:AA312825768811D1ADED00C04FD8D5CD:"
' ADS_PROPERTY_OPERATION_ENUM
Const ADS_PROPERTY_APPEND = 3
Const ADS_PROPERTY_DELETE = 4

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objDomain = GetObject("LDAP://" &
objRootDSE.Get("defaultNamingContext"))
set objCompWK = GetObject("LDAP://" & _
"<WKGUID=AA312825768811D1ADED00C04FD8D5CD," & _
objRootDSE.Get("defaultNamingContext") & ">")

objDomain.PutEx ADS_PROPERTY_DELETE, "wellKnownObjects", _
Array( COMPUTER_WKGUID & objCompWK.Get("distinguishedName"))
objDomain.PutEx ADS_PROPERTY_APPEND, "wellKnownObjects", _
Array( COMPUTER_WKGUID & strNewComputersParent & "," &
objRootDSE.Get("defaultNamingContext") )
objDomain.SetInfo
WScript.Echo "New default Computers container set to " & _
strNewComputersParent

You can define a location if you use RIS also.

 

[Sabir Ahmedi]

Chris,
Thanks for the awesome reply.

I still did not understand why it is a bad idea to let users add computer
accounts to the domain.

Also can the script let the computer accounts flow into 2 separate OU's
based on their name.

-Sabir.

 

[Chriss3]

As I said I don't see that like a bad idea and that's why we have it by
defaults. The Script doesn't let you that. May a schedule task to move
computers after there names in to different OUs can work.

 

[Sabir Ahmedi]

Thanks again Chris.

As I said I don't see that like a bad idea and that's why we have it by
defaults. The Script doesn't let you that. May a schedule task to move
computers after there names in to different OUs can work.

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

&

 

[Brian Desmond [MVP]]

Sabir,

It can be an issue from a security standpoint. Allowing users to introduce
any machine to your domain can pose a major risk if the machine has malware
on it.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com