A
Andrew Williamson
Hi
Am working on populating the AD with the MAC and last-known IP
addresses of all computers in the domain. For this, I intend to use
the computer account attributes extensionAttribute1 and
extensionAttribute2 and update them using a GPO computer startup
script (.vbs).
No problems with that, but of course a computer's logon script runs as
SYSTEM account and that doesn't have permission to update the AD. Can
anyone suggest the best-practice I would use so that a computer (well,
2000 of them actually) could get permissions to update only it's own
fields in the AD?
It appears that under ADU&C, Advanced, I can set a computer's security
properties so that SELF has "read public information" and "write
public information" (doesn't appear to work with "private" information
- odd?), but i'm reluctant to apply that to 2000 computers in case it
opens something else up I'm unaware of.
Any other way to accomplish this? Can I 'publish' those two attributes
for all computers automatically as like 'public access' or something
for example?
Looking forward to some good suggestions.
Rgds
AW
Am working on populating the AD with the MAC and last-known IP
addresses of all computers in the domain. For this, I intend to use
the computer account attributes extensionAttribute1 and
extensionAttribute2 and update them using a GPO computer startup
script (.vbs).
No problems with that, but of course a computer's logon script runs as
SYSTEM account and that doesn't have permission to update the AD. Can
anyone suggest the best-practice I would use so that a computer (well,
2000 of them actually) could get permissions to update only it's own
fields in the AD?
It appears that under ADU&C, Advanced, I can set a computer's security
properties so that SELF has "read public information" and "write
public information" (doesn't appear to work with "private" information
- odd?), but i'm reluctant to apply that to 2000 computers in case it
opens something else up I'm unaware of.
Any other way to accomplish this? Can I 'publish' those two attributes
for all computers automatically as like 'public access' or something
for example?
Looking forward to some good suggestions.
Rgds
AW