Modify security settings in AD

M

Mathias Haas

Hello!

I've written a vbscript that adds the logged on users name into the computer
description in Active Directory. The problem is you can only change the
computer description in AD if you have "Write Public Information" rights in
Computer->Properties->Security->Permissions which normal users don't have.
(The script runs when the user logs in.)

I couldn't find an AD-policy for this. I was thinking of creating a group
with Write Public Information" rights and set this on all computers, but I
can't see how that could be possible either. It it otherwise possible to
change "Write Public Information" for each computer object in AD through
vbscript? 3:d party tools?

I'd be happy for any suggestion, manually setting it for 1000 computers
would be - tedious. :)

Kind regards,
Mathias.
 
R

Richard Mueller [MVP]

Mathias said:
I've written a vbscript that adds the logged on users name into the computer
description in Active Directory. The problem is you can only change the
computer description in AD if you have "Write Public Information" rights in
Computer->Properties->Security->Permissions which normal users don't have.
(The script runs when the user logs in.)

I couldn't find an AD-policy for this. I was thinking of creating a group
with Write Public Information" rights and set this on all computers, but I
can't see how that could be possible either. It it otherwise possible to
change "Write Public Information" for each computer object in AD through
vbscript? 3:d party tools?

I'd be happy for any suggestion, manually setting it for 1000 computers
would be - tedious. :)
Click to expand...

Hi,

You could code a VBScript program to enumerate all computer objects in the
domain (or in an OU or group) and modify the DACL for each to add an ACE
that grants ADS_RIGHT_DS_WRITE_PROP to the trustee "NT
Authority\Authenticated Users". By default, this trustee has
ADS_RIGHT_DS_READ_PROP only, as you have seen. The trustee "MyDomain\Domain
Admins" has both read and write permission.

However, I would not recommend this. AD is designed to store info that does
not change often. Modifying the description attribute of the computer at
every logon would generate a lot of replication traffic.

If your aim is to track who uses which computers, you could have a logon
script append the username, computername, and the date/time to a log file in
a shared location. Or, if you want help desk people to know which computer a
user is logged into, perhaps you could have the user run a script to
retrieve the computer name.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Best Default security group in AD for Tech. Support 7
AD object security settings getting erased 10
File Download - Security Warning 5
SQL and/or AD Security to Query AD Database? 1
Permissions so a PC can update it's own account in AD thru logon script 1
Setting directory permissions 2
Shared folders in AD 2
Scripted homedrive and homedirectory settings NOT effective 2

Top