Active Directory and Computers - Creating a Computer for a Specific User or Group
(Page 3 of 4 )
Problem
You want to create a computer account for a specific user or group to join to the domain. This requires setting permissions on the computer account so that the user or group can modify certain attributes.
Solution
Using a graphical user interface
Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, browse to the parent container for the computer, right-click on it, and select New -> Computer.
Enter the name of the computer.
Under “The following user or group can join this computer to a domain,” click the Change button.
Use the Object Picker to select a user or group to join the computer to the domain.
Click OK.
Using a command-line interface
In the following solution, replace <ComputerDN> with the distinguished name of thecomputerobject and <UserOrGroup>with the user principal name or NT-style name of a user or group you want to manage the computer:
> dsadd computer <ComputerDN>
> dsacls <ComputerDN> /G <UserOrGroup>:CALCGRSDDTRC;;
> dsacls <ComputerDN> /G <UserOrGroup>:WP;description;
> dsacls <ComputerDN> /G <UserOrGroup>:WP;sAMAccountName;
> dsacls <ComputerDN> /G <UserOrGroup>:WP;displayName;
> dsacls <ComputerDN> /G <UserOrGroup>:WP;"userAccountControl;
> dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to service principal\
name";
> dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to DNS host name";
You can replace the first line of this code with the AdMod code from Recipe 8.1 if you choose.
Using VBScript
' This code creates a computer object and grants a user/group rights over it.
' ------ SCRIPT CONFIGURATION ------
strComputer = "<ComputerName>" ' e.g. joe-xp
strUser = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe
strDescr = "<ComputerDescr>" ' e.g. Joe's workstation
strDomain = "<ComputerDomain>" ' e.g. rallencorp.com
' ------ END CONFIGURATION ---------
'############################
' Constants
'############################
' ADS_USER_FLAG_ENUM
Const ADS_UF_PASSWD_NOTREQD = &h0020
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000
' ADS_ACETYPE_ENUM
Const ADS_ACETYPE_ACCESS_ALLOWED = &h0
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5
' ADS_FLAGTYPE_ENUM
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1
' ADS_RIGHTS_ENUM
Const ADS_RIGHT_DS_SELF = &h8
Const ADS_RIGHT_DS_WRITE_PROP = &h20
Const ADS_RIGHT_DS_CONTROL_ACCESS = &h100
Const ADS_RIGHT_ACTRL_DS_LIST = &h4
Const ADS_RIGHT_GENERIC_READ = &h80000000
Const ADS_RIGHT_DELETE = &h10000
Const ADS_RIGHT_DS_DELETE_TREE = &h40
Const ADS_RIGHT_READ_CONTROL = &h20000
' schemaIDGUID values
Const DISPLAY_NAME = "{bf967953-0de6-11d0-a285-00aa003049e2}"
Const SAM_ACCOUNT_NAME = "{3e0abfd0-126a-11d0-a060-00aa006c33ed}"
Const DESCRIPTION = "{bf967950-0de6-11d0-a285-00aa003049e2}"
' controlAccessRight rightsGUID values
Const USER_LOGON_INFORMATION = "{5f202010-79a5-11d0-9020-00c04fc2d4cf}"
Const USER_ACCOUNT_RESTRICTIONS = "{4C164200-20C0-11D0-A768-00AA006E0529}"
Const VALIDATED_DNS_HOST_NAME = "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}"
Const VALIDATED_SPN = "{F3A64788-5306-11D1-A9C5-0000F80367C1}"
'############################
' Create Computer
'############################
set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objContainer = GetObject("LDAP://cn=Computers," & _
objRootDSE.Get("defaultNamingContext"))
set objComputer = objContainer.Create("Computer", "cn=" & strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "userAccountControl", _
ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT
objComputer.Put "description", strDescr
objComputer.SetInfo
'############################
' Create ACL
'############################
set objSD = objComputer.Get("nTSecurityDescriptor")
set objDACL = objSD.DiscretionaryAcl
' Special: Control Rights, List Children
' Generic Read, Delete,
' Delete Subtree, Read Permission
set objACE1 = CreateObject("AccessControlEntry")
objACE1.Trustee = strUser
objACE1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS Or _
ADS_RIGHT_ACTRL_DS_LIST Or _
ADS_RIGHT_GENERIC_READ Or _
ADS_RIGHT_DELETE Or _
ADS_RIGHT_DS_DELETE_TREE Or ADS_RIGHT_READ_CONTROL
objACE1.AceFlags = 0
objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
' Write Property: description
set objACE2 = CreateObject("AccessControlEntry")
objACE2.Trustee = strUser
objACE2.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objACE2.AceFlags = 0
objACE2.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE2.ObjectType = DESCRIPTION
' Write Property: sAMAccountName
set objACE3 = CreateObject("AccessControlEntry")
objACE3.Trustee = strUser
objACE3.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objACE3.AceFlags = 0
objACE3.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE3.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE3.ObjectType = SAM_ACCOUNT_NAME
' Write Property: displayName
set objACE4 = CreateObject("AccessControlEntry")
objACE4.Trustee = strUser
objACE4.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objACE4.AceFlags = 0
objACE4.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE4.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE4.ObjectType = DISPLAY_NAME
' Write Property: Logon Information
set objACE5 = CreateObject("AccessControlEntry")
objACE5.Trustee = strUser
objACE5.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objACE5.AceFlags = 0
objACE5.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE5.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE5.ObjectType = USER_LOGON_INFORMATION
' Write Property: Account Restrictions
set objACE6 = CreateObject("AccessControlEntry")
objACE6.Trustee = strUser
objACE6.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objACE6.AceFlags = 0
objACE6.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE6.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE6.ObjectType = USER_ACCOUNT_RESTRICTIONS
' Write Self: Validated SPN
set objACE7 = CreateObject("AccessControlEntry")
objACE7.Trustee = strUser
objACE7.AccessMask = ADS_RIGHT_DS_SELF
objACE7.AceFlags = 0
objACE7.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE7.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE7.ObjectType = VALIDATED_SPN
' Write Self: Validated DNS Host Name
set objACE8 = CreateObject("AccessControlEntry")
objACE8.Trustee = strUser
objACE8.AccessMask = ADS_RIGHT_DS_SELF
objACE8.AceFlags = 0
objACE8.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE8.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE8.ObjectType = VALIDATED_DNS_HOST_NAME
objDACL.AddAce objACE1
objDACL.AddAce objACE2
objDACL.AddAce objACE3
objDACL.AddAce objACE4
objDACL.AddAce objACE5
objDACL.AddAce objACE6
objDACL.AddAce objACE7
objDACL.AddAce objACE8
'############################
' Set ACL
'############################
objSD.DiscretionaryAcl = objDACL
objComputer.Put "nTSecurityDescriptor", objSD
objComputer.SetInfo
WScript.Echo "Successfully created " & strComputer & _
" and gave rights to " & strUser
Discussion
By default, members of the Authenticated Users group can join up to 10 computers to an Active Directory domain. If you’ve modified this default behavior or need to allow a user to add computers to the domain on a regular basis, you need to grant certain permissions so that the user has rights to modify the computer object. When you create a computer via the ADUC snap-in, you have the option to select a user or group to manage thecomputerobject and join a computer to the domain using that object. When you use that method, eight ACEs are added to the ACL of thecomputer object. They are:
List Contents, Read All Properties, Delete, Delete Subtree, Read Permissions, All Extended Rights (i.e., Allowed to Authenticate, Change Password, Send As, Receive As, Reset Password)
- Write Property for description
- Write Property forsAMAccountName
- Write Property fordisplayName
- Write Property for Logon Information
- Write Property for Account Restrictions
- Validate write to DNS hostname
- Validate write for service principal name
Using a graphical user interface If you want to modify the default permissions that are applied when you select a user or group through the GUI, double-click on the computer object after you’ve created it and go to the Security tab. For the Security tab to be visible, you have to select View -> Advanced Features.
Using a command-line interface With the dsacls utility, you can specify either a UPN (user@domain ) or down-level style (DOMAIN\user) account name when applying permissions. Also, dsacls requires that the displayNameof the attribute, property set, or extended right you are setting the permission on be used instead of thelDAPDisplayName, as one might expect. That is why we had to use “Validated write to service principal name,” which is thedisplayNamefor theValidated-SPN controlAccessRightobject, with the ACE for the SPN-validated write. dsacls is also case sensitive, so be sure to specify the correct case for the words in thedisplayName.
Using VBScript
After creating the computer object, similar to Recipe 8.1, create an ACE object for each of the eight ACEs previously listed using the IADsAccessControlEntry interface.
To apply the ACEs, retrieve the current security descriptor for the computer object, which is stored in thenTSecurityDescriptorattribute, and then add the eight ACEs. Finally, callSetInfoto commit the change to Active Directory. For more information on setting ACEs and ACLs programmatically, see theIADsAccessControlEntrydocumentation in MSDN.
See Also Recipe 8.1 for creating a computer account, MS KB 238793 (Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain), MS KB 283771 (How to Prestage Windows 2000 Computers in Active Directory), MS KB 320187 (How to Manage Computer Accounts in Active Directory in Windows 2000), MSDN: IADsAccessControlEntry, MSDN: ADS_ACETYPE_ENUM, and MSDN: ADS_RIGHTS_ENUM, MSDN: ADS_FLAGTYPE_ENUM
Next: Joining a Computer to a Domain >>
More Windows Scripting Articles
More By O'Reilly Media
|
 This article is excerpted from chapter eight of the Active Directory Cookbook, Second Edition, written by Robbie Allen and Laura E. Hunter (O'Reilly; ISBN: 059610202X). Check it out today at your favorite bookstore. Buy this book now.
|
|
