Active Directory Machine Account Permissions

[Jay Armstrong]

I am creating computer accounts from a web interface and need to set the
group that has the rights to join the computer to the domain (by default it
is Domain Admins).

I can create the accounts, and join them as a domain admin. The problem
arises when the local administrators who have been delagated control to thier
OU try to join the computer to the domain. They are recieveing an Account
Exists error.

This all works on my test domain with an account I have set up there, but
fails on the live domain.

I want to explicity assign Full Control of the computer account object to
the local admins group for the OU to see if this will fix the problem.

I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method but
can't find any documentation on it. (is it part of asp 2.0?)

Any help is appreciated,

Jay

Here is my creation code:

// Create the new Object
DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
SchemaName);

// Create Computer Account
NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
NewComputer.Properties["description"].Add(MachDesc);
NewComputer.Properties["userAccountControl"].Add(AccountControl);

// Save Computer Account
NewComputer.CommitChanges();

// Create routine to set group able to add the computer to the domain
// as the Designated OU Global Group
<!-- here is where I am having the problem -->

NewComputer.Close();

[Joe Kaplan \(MVP - ADSI\)]

Did you find a solution for this? I didn't see a reply.

To modify the security descriptor in .NET 1.1, you need to do COM Interop
with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs in
MSDN.

The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you want
to use the beta or CTP though. :)

Joe K.

"Jay Armstrong" <JayArmstrong@discussions.microsoft.com> wrote in message
news:37422076-E5D3-451A-B85F-8F73FBFD26C9@microsoft.com...

>I am creating computer accounts from a web interface and need to set the
> group that has the rights to join the computer to the domain (by default
> it
> is Domain Admins).
>
> I can create the accounts, and join them as a domain admin. The problem
> arises when the local administrators who have been delagated control to
> thier
> OU try to join the computer to the domain. They are recieveing an Account
> Exists error.
>
> This all works on my test domain with an account I have set up there, but
> fails on the live domain.
>
> I want to explicity assign Full Control of the computer account object to
> the local admins group for the OU to see if this will fix the problem.
>
> I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
> but
> can't find any documentation on it. (is it part of asp 2.0?)
>
> Any help is appreciated,
>
> Jay
>
> Here is my creation code:
>
> // Create the new Object
> DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
> SchemaName);
>
> // Create Computer Account
> NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
> NewComputer.Properties["description"].Add(MachDesc);
> NewComputer.Properties["userAccountControl"].Add(AccountControl);
>
> // Save Computer Account
> NewComputer.CommitChanges();
>
> // Create routine to set group able to add the computer to the domain
> // as the Designated OU Global Group
> <!-- here is where I am having the problem -->
>
> NewComputer.Close();
>

[Jay Armstrong]

Joe,

Thanks for the feedback. Unfortunately I cannot run 2.0 on my production
servers, so I will have to wait for the AD security code.

We tracked it down to a rights assignment not taking. After removing the
delegation and recreating it, the remote admins could join the machines to
the domain.

We would still like to explicitly assign the rights to the groups, but I
(still) can't find the examples you mention in the MSDN. Do you have a link?

Jay

"Joe Kaplan (MVP - ADSI)" wrote:

> Did you find a solution for this? I didn't see a reply.
>
> To modify the security descriptor in .NET 1.1, you need to do COM Interop
> with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs in
> MSDN.
>
> The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you want
> to use the beta or CTP though. :)
>
> Joe K.
>
> "Jay Armstrong" <JayArmstrong@discussions.microsoft.com> wrote in message
> news:37422076-E5D3-451A-B85F-8F73FBFD26C9@microsoft.com...

> >I am creating computer accounts from a web interface and need to set the
> > group that has the rights to join the computer to the domain (by default
> > it
> > is Domain Admins).
> >
> > I can create the accounts, and join them as a domain admin. The problem
> > arises when the local administrators who have been delagated control to
> > thier
> > OU try to join the computer to the domain. They are recieveing an Account
> > Exists error.
> >
> > This all works on my test domain with an account I have set up there, but
> > fails on the live domain.
> >
> > I want to explicity assign Full Control of the computer account object to
> > the local admins group for the OU to see if this will fix the problem.
> >
> > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
> > but
> > can't find any documentation on it. (is it part of asp 2.0?)
> >
> > Any help is appreciated,
> >
> > Jay
> >
> > Here is my creation code:
> >
> > // Create the new Object
> > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
> > SchemaName);
> >
> > // Create Computer Account
> > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
> > NewComputer.Properties["description"].Add(MachDesc);
> > NewComputer.Properties["userAccountControl"].Add(AccountControl);
> >
> > // Save Computer Account
> > NewComputer.CommitChanges();
> >
> > // Create routine to set group able to add the computer to the domain
> > // as the Designated OU Global Group
> > <!-- here is where I am having the problem -->
> >
> > NewComputer.Close();
> >

>
>
>

[Joe Kaplan \(MVP - ADSI\)]

This is the only SDS-specific sample:

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/security_descriptor_property_type.asp?frame=true[/url]

The real body of the security stuff is in the AD SDK. You essentially need
to translate those from ADSI to SDS, but they are essentially the same.
They start here (probably read the whole thing twice :)):

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/controlling_access_to_active_directory_objects.asp ?frame=true[/url]

Generally, I try to avoid doing this stuff in code as much as possible as it
kind of sucks. However, when forced to do it, I generally try making the
changes in the UI first, dump out the resulting SD in code, then try to make
the same changes in code to get it working. If you need to play with the
inheritance settings, you need to mess with the flags (the "protected" flag
specifically) on the Control member on the SD.

Best of luck. I'm sure you'll get this working eventually.

Joe K.

"Jay Armstrong" <JayArmstrong@discussions.microsoft.com> wrote in message
news:194459E4-4FC6-47C5-B210-CF2C75931770@microsoft.com...

> Joe,
>
> Thanks for the feedback. Unfortunately I cannot run 2.0 on my production
> servers, so I will have to wait for the AD security code.
>
> We tracked it down to a rights assignment not taking. After removing the
> delegation and recreating it, the remote admins could join the machines to
> the domain.
>
> We would still like to explicitly assign the rights to the groups, but I
> (still) can't find the examples you mention in the MSDN. Do you have a
> link?
>
> Jay
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>

>> Did you find a solution for this? I didn't see a reply.
>>
>> To modify the security descriptor in .NET 1.1, you need to do COM Interop
>> with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs
>> in
>> MSDN.
>>
>> The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you
>> want
>> to use the beta or CTP though. :)
>>
>> Joe K.
>>
>> "Jay Armstrong" <JayArmstrong@discussions.microsoft.com> wrote in message
>> news:37422076-E5D3-451A-B85F-8F73FBFD26C9@microsoft.com...

>> >I am creating computer accounts from a web interface and need to set the
>> > group that has the rights to join the computer to the domain (by
>> > default
>> > it
>> > is Domain Admins).
>> >
>> > I can create the accounts, and join them as a domain admin. The problem
>> > arises when the local administrators who have been delagated control to
>> > thier
>> > OU try to join the computer to the domain. They are recieveing an
>> > Account
>> > Exists error.
>> >
>> > This all works on my test domain with an account I have set up there,
>> > but
>> > fails on the live domain.
>> >
>> > I want to explicity assign Full Control of the computer account object
>> > to
>> > the local admins group for the OU to see if this will fix the problem.
>> >
>> > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
>> > but
>> > can't find any documentation on it. (is it part of asp 2.0?)
>> >
>> > Any help is appreciated,
>> >
>> > Jay
>> >
>> > Here is my creation code:
>> >
>> > // Create the new Object
>> > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" +
>> > MachineName,
>> > SchemaName);
>> >
>> > // Create Computer Account
>> > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
>> > NewComputer.Properties["description"].Add(MachDesc);
>> > NewComputer.Properties["userAccountControl"].Add(AccountControl);
>> >
>> > // Save Computer Account
>> > NewComputer.CommitChanges();
>> >
>> > // Create routine to set group able to add the computer to the domain
>> > // as the Designated OU Global Group
>> > <!-- here is where I am having the problem -->
>> >
>> > NewComputer.Close();
>> >

>>
>>
>>

[Jay Armstrong]

That looks like it will do it! Thanks. Good to know there are people like you
out there to help.

I've done some of this in vbscript, but C# and .NET are new animals to me. I
can get an ASP.NET website up and running, but the advanced stuff is still up
the learning curve.

I have some reading to do.

Jay

"Joe Kaplan (MVP - ADSI)" wrote:

> This is the only SDS-specific sample:
>
> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/security_descriptor_property_type.asp?frame=true[/url]
>
> The real body of the security stuff is in the AD SDK. You essentially need
> to translate those from ADSI to SDS, but they are essentially the same.
> They start here (probably read the whole thing twice :)):
>
> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/controlling_access_to_active_directory_objects.asp ?frame=true[/url]
>
> Generally, I try to avoid doing this stuff in code as much as possible as it
> kind of sucks. However, when forced to do it, I generally try making the
> changes in the UI first, dump out the resulting SD in code, then try to make
> the same changes in code to get it working. If you need to play with the
> inheritance settings, you need to mess with the flags (the "protected" flag
> specifically) on the Control member on the SD.
>
> Best of luck. I'm sure you'll get this working eventually.
>
> Joe K.
>
> "Jay Armstrong" <JayArmstrong@discussions.microsoft.com> wrote in message
> news:194459E4-4FC6-47C5-B210-CF2C75931770@microsoft.com...

> > Joe,
> >
> > Thanks for the feedback. Unfortunately I cannot run 2.0 on my production
> > servers, so I will have to wait for the AD security code.
> >
> > We tracked it down to a rights assignment not taking. After removing the
> > delegation and recreating it, the remote admins could join the machines to
> > the domain.
> >
> > We would still like to explicitly assign the rights to the groups, but I
> > (still) can't find the examples you mention in the MSDN. Do you have a
> > link?
> >
> > Jay
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >

> >> Did you find a solution for this? I didn't see a reply.
> >>
> >> To modify the security descriptor in .NET 1.1, you need to do COM Interop
> >> with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs
> >> in
> >> MSDN.
> >>
> >> The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you
> >> want
> >> to use the beta or CTP though. :)
> >>
> >> Joe K.
> >>
> >> "Jay Armstrong" <JayArmstrong@discussions.microsoft.com> wrote in message
> >> news:37422076-E5D3-451A-B85F-8F73FBFD26C9@microsoft.com...
> >> >I am creating computer accounts from a web interface and need to set the
> >> > group that has the rights to join the computer to the domain (by
> >> > default
> >> > it
> >> > is Domain Admins).
> >> >
> >> > I can create the accounts, and join them as a domain admin. The problem
> >> > arises when the local administrators who have been delagated control to
> >> > thier
> >> > OU try to join the computer to the domain. They are recieveing an
> >> > Account
> >> > Exists error.
> >> >
> >> > This all works on my test domain with an account I have set up there,
> >> > but
> >> > fails on the live domain.
> >> >
> >> > I want to explicity assign Full Control of the computer account object
> >> > to
> >> > the local admins group for the OU to see if this will fix the problem.
> >> >
> >> > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
> >> > but
> >> > can't find any documentation on it. (is it part of asp 2.0?)
> >> >
> >> > Any help is appreciated,
> >> >
> >> > Jay
> >> >
> >> > Here is my creation code:
> >> >
> >> > // Create the new Object
> >> > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" +
> >> > MachineName,
> >> > SchemaName);
> >> >
> >> > // Create Computer Account
> >> > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
> >> > NewComputer.Properties["description"].Add(MachDesc);
> >> > NewComputer.Properties["userAccountControl"].Add(AccountControl);
> >> >
> >> > // Save Computer Account
> >> > NewComputer.CommitChanges();
> >> >
> >> > // Create routine to set group able to add the computer to the domain
> >> > // as the Designated OU Global Group
> >> > <!-- here is where I am having the problem -->
> >> >
> >> > NewComputer.Close();
> >> >
> >>
> >>
> >>

>
>
>