Add New Computer Object With VBS

[A.D.D]

Hey All!

When creating a new computer object, we change the 'users/group can
join this computer to a domain' option from 'Domain Admins' to
'Authenticated Users'.

I'm trying to accomplish it with a script as shown below. If I leave
out the defaultgroup line, the object gets created. When run with the
defaultgroup I get an error - a constraint violation occurred. Am I
using the correct attribute ('defaultGroup') to accomplish this and if
so how do I fix it? If not, which attribute do I use?

Thanks

GHG

Set objComputer = objContainer.Create("Computer", "cn=" &
strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "Description", strDescriptionobjComputer.Put "userAccountControl", 4096
objComputer.SetInfo

 

[Richard Mueller [MVP]]

Hey All!

When creating a new computer object, we change the 'users/group can
join this computer to a domain' option from 'Domain Admins' to
'Authenticated Users'.

I'm trying to accomplish it with a script as shown below. If I leave
out the defaultgroup line, the object gets created. When run with the
defaultgroup I get an error - a constraint violation occurred. Am I
using the correct attribute ('defaultGroup') to accomplish this and if
so how do I fix it? If not, which attribute do I use?

Thanks

GHG

Set objComputer = objContainer.Create("Computer", "cn=" &
strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "Description", strDescription
objComputer.Put "userAccountControl", 4096
objComputer.SetInfo

First, I would suggest not assigning a value to the userAccountControl
attribute. The value 4096 means a computer account, which may be OK, but the
default value when a computer object is created is 4128, which means a
computer account and no password required. I don't know why that value is
used, but I would not mess with the default.

Next, there is no attribute called "defaultGroup". In fact, when you select
a user or group to join the computer to the domain, no attributes of the
computer object are modified. Instead, a few ACE's are added to the DACL of
the computer object. Specifically, the designated user or group are given
the following permissions:

ADS_RIGHT_DS_WRITE_PROP for SchemaIDGuid:
{4C164200-20C0-11D0-A768-00AA006E0529}
ADS_RIGHT_DS_SELF for SchemaIDGuid: {F3A64788-5306-11D1-A9C5-0000F80367C1}
ADS_RIGHT_DS_SELF for SchemaIDGuid: {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}
ADS_RIGHT_DS_CONTROL_ACCESS for SchemaIDGuid:
{00299570-246D-11D0-A768-00AA006E0529}

I would have to experment with adding these ACE's to the DACL for the
computer object. First I would search for documentation to confirm that this
is the correct approach.

 

[Richard Mueller [MVP]]

First, I would suggest not assigning a value to the userAccountControl
attribute. The value 4096 means a computer account, which may be OK, but
the default value when a computer object is created is 4128, which means a
computer account and no password required. I don't know why that value is
used, but I would not mess with the default.

Next, there is no attribute called "defaultGroup". In fact, when you
select a user or group to join the computer to the domain, no attributes
of the computer object are modified. Instead, a few ACE's are added to the
DACL of the computer object. Specifically, the designated user or group
are given the following permissions:

ADS_RIGHT_DS_WRITE_PROP for SchemaIDGuid:
{4C164200-20C0-11D0-A768-00AA006E0529}
ADS_RIGHT_DS_SELF for SchemaIDGuid: {F3A64788-5306-11D1-A9C5-0000F80367C1}
ADS_RIGHT_DS_SELF for SchemaIDGuid: {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}
ADS_RIGHT_DS_CONTROL_ACCESS for SchemaIDGuid:
{00299570-246D-11D0-A768-00AA006E0529}

I would have to experment with adding these ACE's to the DACL for the
computer object. First I would search for documentation to confirm that
this is the correct approach.

I was unable to find documentation on this. I was hoping a command line tool
like netdom could be used. Maybe someone else knows. Otherwise, the details
of the 4 ACE's added to the DACL of the computer object are:

Trustee: MyDomain\User_Or_Group
AceFlags : 0
AceType : 5
Flags : 1
ObjectType: {4C164200-20C0-11D0-A768-00AA006E0529}
AccessMask: 32
ADS_RIGHT_DS_WRITE_PROP for SchemaIDGuid:
{4C164200-20C0-11D0-A768-00AA006E0529}

Trustee: MyDomain\User_Or_Group
AceFlags : 0
AceType : 5
Flags : 1
ObjectType: {F3A64788-5306-11D1-A9C5-0000F80367C1}
AccessMask: 8
ADS_RIGHT_DS_SELF for SchemaIDGuid: {F3A64788-5306-11D1-A9C5-0000F80367C1}

Trustee: MyDomain\User_Or_Group
AceFlags : 0
AceType : 5
Flags : 1
ObjectType: {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}
AccessMask: 8
ADS_RIGHT_DS_SELF for SchemaIDGuid: {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}

Trustee: MyDomain\User_Or_Group
AceFlags : 0
AceType : 5
Flags : 1
ObjectType: {00299570-246D-11D0-A768-00AA006E0529}
AccessMask: 256
ADS_RIGHT_DS_CONTROL_ACCESS for SchemaIDGuid:
{00299570-246D-11D0-A768-00AA006E0529}

where the trustee MyDomain\User_Or_Group is the NetBIOS name of the domain
and the NT name of the user or group. Documentation for assigning extended
rights like this in scripts is found here:

http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx

I have used VBScript programs to assign permissions like this, but not these
specific ones.

 

[A.D.D]

message






I was unable to find documentation on this. I was hoping a command line tool
like netdom could be used. Maybe someone else knows. Otherwise, the details
of the 4 ACE's added to the DACL of the computer object are:

Trustee: MyDomain\User_Or_Group
AceFlags : 0
AceType : 5
Flags : 1
ObjectType: {4C164200-20C0-11D0-A768-00AA006E0529}
AccessMask: 32
ADS_RIGHT_DS_WRITE_PROP for SchemaIDGuid:
{4C164200-20C0-11D0-A768-00AA006E0529}

Trustee: MyDomain\User_Or_Group
AceFlags : 0
AceType : 5
Flags : 1
ObjectType: {F3A64788-5306-11D1-A9C5-0000F80367C1}
AccessMask: 8
ADS_RIGHT_DS_SELF for SchemaIDGuid: {F3A64788-5306-11D1-A9C5-0000F80367C1}

Trustee: MyDomain\User_Or_Group
AceFlags : 0
AceType : 5
Flags : 1
ObjectType: {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}
AccessMask: 8
ADS_RIGHT_DS_SELF for SchemaIDGuid: {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}

Trustee: MyDomain\User_Or_Group
AceFlags : 0
AceType : 5
Flags : 1
ObjectType: {00299570-246D-11D0-A768-00AA006E0529}
AccessMask: 256
ADS_RIGHT_DS_CONTROL_ACCESS for SchemaIDGuid:
{00299570-246D-11D0-A768-00AA006E0529}

where the trustee MyDomain\User_Or_Group is the NetBIOS name of the domain
and the NT name of the user or group. Documentation for assigning extended
rights like this in scripts is found here:

http://www.microsoft.com/technet/scriptcenter/topics/security/exright...

I have used VBScript programs to assign permissions like this, but not these
specific ones.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -http://www.rlmueller.net
--- Hide quoted text -

- Show quoted text -

Thanks for the info Richard.
I newer than new when it comes to the inner workings of AD and
scripting. It is all Greek to me.
If I understand correctly, I must use all 4 of the ACE's. I found some
additional info at http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/computermanagement/ad/
which may help me.

Thanks Again

 

[Richard Mueller [MVP]]

Thanks for the info Richard.
I newer than new when it comes to the inner workings of AD and
scripting. It is all Greek to me.
If I understand correctly, I must use all 4 of the ACE's. I found some
additional info at
http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/computermanagement/ad/
which may help me.

Thanks Again

Your link confirms what I found by reading the DACL (with a script). The
code under "Creating a Computer Account for a User" grants a few more
permissions, but I don't think that hurts. The values for AceFlags, AceType,
Flags, ObjectType, and AccessMask match what I found. Don't be alarmed. This
is pretty advanced stuff, but I would expect the code to work. Just
substitute your values for strComputer (the NetBIOS name of the computer)
and strComputerUser (the NetBIOS name of the domain, a backslash, and the
"pre-Windows 2000 logon name" of the user or group). Also, you would modify
the binding string for objContainer (if desired) to place the new computer
object in the container/OU you want.

If you want to grant permissions to the "Authenticated Users" group rather
than a specific user, the trustee would be:

"NT Authority\Authenticated Users"

since it is an implicit group. You could also grant these permissions to a
domain global group you create, or even to Domain Users.

 

[A.D.D]

Your link confirms what I found by reading the DACL (with a script). The
code under "Creating a Computer Account for a User" grants a few more
permissions, but I don't think that hurts. The values for AceFlags, AceType,
Flags, ObjectType, and AccessMask match what I found. Don't be alarmed. This
is pretty advanced stuff, but I would expect the code to work. Just
substitute your values for strComputer (the NetBIOS name of the computer)
and strComputerUser (the NetBIOS name of the domain, a backslash, and the
"pre-Windows 2000 logon name" of the user or group). Also, you would modify
the binding string for objContainer (if desired) to place the new computer
object in the container/OU you want.

If you want to grant permissions to the "Authenticated Users" group rather
than a specific user, the trustee would be:

"NT Authority\Authenticated Users"

since it is an implicit group. You could also grant these permissions to a
domain global group you create, or even to Domain Users.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -http://www.rlmueller.net
--- Hide quoted text -

- Show quoted text -

I edited the script from the link "Creating a Computer Account for a
User". I substituted myinfo...

strComputer = "ZZZtest"

I also created another variable strOU that holds our domain structure
"OU=, OU=, OU= etc"

for strComputerUser I have attempted the following....(with both "\" &
"/")

strComputerUser = "my.domain.com\NT Authority\Authenticated Users"

strComputerUser = "my.domain.com\Authenticated Users"

strComputerUser = "my.domain.com\<my login>" as I have rights to add
to the domain.

I noticed that when I create a computer manually in ADUC and I change
the Default from Domain Admins to Authenicated Users, that the
Authenicated Users textbox resolves out to ....

"my.domain.com/Configuration/WellKnown Security Principals/
Authenticated Users"

so I have also tried that as strComputerUser.

Each time I run the script, the computer object is created but I get
an error at the line ...

objComputer.Put "ntSecurityDescriptor", objSecurityDescriptor

stating that "The security ID structure is invalid"

I'm Stumped!!!!!!!!!!

 

[Richard Mueller [MVP]]

I edited the script from the link "Creating a Computer Account for a
User". I substituted myinfo...

strComputer = "ZZZtest"

I also created another variable strOU that holds our domain structure
"OU=, OU=, OU= etc"

for strComputerUser I have attempted the following....(with both "\" &
"/")

strComputerUser = "my.domain.com\NT Authority\Authenticated Users"

strComputerUser = "my.domain.com\Authenticated Users"

strComputerUser = "my.domain.com\<my login>" as I have rights to add
to the domain.

I noticed that when I create a computer manually in ADUC and I change
the Default from Domain Admins to Authenicated Users, that the
Authenicated Users textbox resolves out to ....

"my.domain.com/Configuration/WellKnown Security Principals/
Authenticated Users"

so I have also tried that as strComputerUser.

Each time I run the script, the computer object is created but I get
an error at the line ...

objComputer.Put "ntSecurityDescriptor", objSecurityDescriptor

stating that "The security ID structure is invalid"

I'm Stumped!!!!!!!!!!

When I enumerate the ACE's in a DACL I see the trustee:

NT Authority\Authenticated Users

with no mention of the domain name. Are you saying that does not work?

 

[A.D.D]

When I enumerate the ACE's in a DACL I see the trustee:

NT Authority\Authenticated Users

with no mention of the domain name. Are you saying that does not work?

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -http://www.rlmueller.net
--- Hide quoted text -

- Show quoted text -

Thanks for your assistance on this Richard.
Here's my code . All other code in the script is untouched. As I
mentioned, the object gets created. I have also tried using
"our.domain/NT Authority/Authenticated Users" but I always get the
Invalid ID structure. Is there a way to pull the trustee info from a
current computer and use that info? Is it possible that our Domain
Gods have some sort of security in place to prevent what I am
attempting?

NOTE:The physical computers do not exist yet. I'm preparing for a life-
cycle equipment change and thought that it would be easier to script
the computer creation in AD as opposed to hand-jammin' them.

strComputer = "ZZZtest"
strComputerUser = "NT Authority/Authenticated Users"
strOU = "OU=M........t, OU=M........ot, OU=W...........s, OU=N......t,
OU=L......s ,"

Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & strOU &
objRootDSE.Get("defaultNamingContext"))

Set objComputer = objContainer.Create("Computer", "cn=" & strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "Description", "THIS IS A TEST"

 

[Richard Mueller [MVP]]

Thanks for your assistance on this Richard.
Here's my code . All other code in the script is untouched. As I
mentioned, the object gets created. I have also tried using
"our.domain/NT Authority/Authenticated Users" but I always get the
Invalid ID structure. Is there a way to pull the trustee info from a
current computer and use that info? Is it possible that our Domain
Gods have some sort of security in place to prevent what I am
attempting?

NOTE:The physical computers do not exist yet. I'm preparing for a life-
cycle equipment change and thought that it would be easier to script
the computer creation in AD as opposed to hand-jammin' them.

strComputer = "ZZZtest"
strComputerUser = "NT Authority/Authenticated Users"
strOU = "OU=M........t, OU=M........ot, OU=W...........s, OU=N......t,
OU=L......s ,"

Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & strOU &
objRootDSE.Get("defaultNamingContext"))

Set objComputer = objContainer.Create("Computer", "cn=" & strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "Description", "THIS IS A TEST"

I use the script linked here to enumerate security of objects:

http://www.rlmueller.net/DACL.htm

Note the Distinguished Name of the AD object is hardcoded, as is the name
and path of the file the output is written to.

You can also use command line utilities, but I can't remember the name and
the Microsoft site search feature is offline at the moment.

I have not assigned permissions to "NT Authority\Authenticated Users" in a
script, but I assume it can be done. Oh, I just noticed you used a forward
slash in the trustee name in your snippet above. It should be a backslash.
Hopefully that's the problem.

 

[A.D.D]

I use the script linked here to enumerate security of objects:

http://www.rlmueller.net/DACL.htm

Note the Distinguished Name of the AD object is hardcoded, as is the name
and path of the file the output is written to.

You can also use command line utilities, but I can't remember the name and
the Microsoft site search feature is offline at the moment.

I have not assigned permissions to "NT Authority\Authenticated Users" in a
script, but I assume it can be done. Oh, I just noticed you used a forward
slash in the trustee name in your snippet above. It should be a backslash.
Hopefully that's the problem.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -http://www.rlmueller.net
--- Hide quoted text -

- Show quoted text -

I ran your enumeration script. I think that I damaged my retinas
looking at it. Kidding! When run from my pc it displays me as the
trustee. So I used that information to run my script but no luck . I
have tried both forward and backward slashes and I made sure that
there are no spaces between the OU entries in the string. I still get
the Security ID Structure invalid msg. I'm going to have to contact
the AD team and see if it's something that they have configured.

Thanks for working with me on this.