|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Active Directory Machine Account Permissionsgroup that has the rights to join the computer to the domain (by default it is Domain Admins). I can create the accounts, and join them as a domain admin. The problem arises when the local administrators who have been delagated control to thier OU try to join the computer to the domain. They are recieveing an Account Exists error. This all works on my test domain with an account I have set up there, but fails on the live domain. I want to explicity assign Full Control of the computer account object to the local admins group for the OU to see if this will fix the problem. I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method but can't find any documentation on it. (is it part of asp 2.0?) Any help is appreciated, Jay Here is my creation code: // Create the new Object DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName, SchemaName); // Create Computer Account NewComputer.Properties["sAMAccountName"].Add(MachineName + "$"); NewComputer.Properties["description"].Add(MachDesc); NewComputer.Properties["userAccountControl"].Add(AccountControl); // Save Computer Account NewComputer.CommitChanges(); // Create routine to set group able to add the computer to the domain // as the Designated OU Global Group <!-- here is where I am having the problem --> NewComputer.Close(); Did you find a solution for this? I didn't see a reply.
To modify the security descriptor in .NET 1.1, you need to do COM Interop with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs in MSDN. The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you want to use the beta or CTP though. :) Joe K. Show quoteHide quote "Jay Armstrong" <JayArmstr***@discussions.microsoft.com> wrote in message news:37422076-E5D3-451A-B85F-8F73FBFD26C9@microsoft.com... >I am creating computer accounts from a web interface and need to set the > group that has the rights to join the computer to the domain (by default > it > is Domain Admins). > > I can create the accounts, and join them as a domain admin. The problem > arises when the local administrators who have been delagated control to > thier > OU try to join the computer to the domain. They are recieveing an Account > Exists error. > > This all works on my test domain with an account I have set up there, but > fails on the live domain. > > I want to explicity assign Full Control of the computer account object to > the local admins group for the OU to see if this will fix the problem. > > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method > but > can't find any documentation on it. (is it part of asp 2.0?) > > Any help is appreciated, > > Jay > > Here is my creation code: > > // Create the new Object > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName, > SchemaName); > > // Create Computer Account > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$"); > NewComputer.Properties["description"].Add(MachDesc); > NewComputer.Properties["userAccountControl"].Add(AccountControl); > > // Save Computer Account > NewComputer.CommitChanges(); > > // Create routine to set group able to add the computer to the domain > // as the Designated OU Global Group > <!-- here is where I am having the problem --> > > NewComputer.Close(); > Joe,
Thanks for the feedback. Unfortunately I cannot run 2.0 on my production servers, so I will have to wait for the AD security code. We tracked it down to a rights assignment not taking. After removing the delegation and recreating it, the remote admins could join the machines to the domain. We would still like to explicitly assign the rights to the groups, but I (still) can't find the examples you mention in the MSDN. Do you have a link? Jay Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > Did you find a solution for this? I didn't see a reply. > > To modify the security descriptor in .NET 1.1, you need to do COM Interop > with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs in > MSDN. > > The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you want > to use the beta or CTP though. :) > > Joe K. > > "Jay Armstrong" <JayArmstr***@discussions.microsoft.com> wrote in message > news:37422076-E5D3-451A-B85F-8F73FBFD26C9@microsoft.com... > >I am creating computer accounts from a web interface and need to set the > > group that has the rights to join the computer to the domain (by default > > it > > is Domain Admins). > > > > I can create the accounts, and join them as a domain admin. The problem > > arises when the local administrators who have been delagated control to > > thier > > OU try to join the computer to the domain. They are recieveing an Account > > Exists error. > > > > This all works on my test domain with an account I have set up there, but > > fails on the live domain. > > > > I want to explicity assign Full Control of the computer account object to > > the local admins group for the OU to see if this will fix the problem. > > > > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method > > but > > can't find any documentation on it. (is it part of asp 2.0?) > > > > Any help is appreciated, > > > > Jay > > > > Here is my creation code: > > > > // Create the new Object > > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName, > > SchemaName); > > > > // Create Computer Account > > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$"); > > NewComputer.Properties["description"].Add(MachDesc); > > NewComputer.Properties["userAccountControl"].Add(AccountControl); > > > > // Save Computer Account > > NewComputer.CommitChanges(); > > > > // Create routine to set group able to add the computer to the domain > > // as the Designated OU Global Group > > <!-- here is where I am having the problem --> > > > > NewComputer.Close(); > > > > > This is the only SDS-specific sample:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/security_descriptor_property_type.asp?frame=true The real body of the security stuff is in the AD SDK. You essentially need to translate those from ADSI to SDS, but they are essentially the same. They start here (probably read the whole thing twice :)): http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/controlling_access_to_active_directory_objects.asp?frame=true Generally, I try to avoid doing this stuff in code as much as possible as it kind of sucks. However, when forced to do it, I generally try making the changes in the UI first, dump out the resulting SD in code, then try to make the same changes in code to get it working. If you need to play with the inheritance settings, you need to mess with the flags (the "protected" flag specifically) on the Control member on the SD. Best of luck. I'm sure you'll get this working eventually. Joe K. Show quoteHide quote "Jay Armstrong" <JayArmstr***@discussions.microsoft.com> wrote in message news:194459E4-4FC6-47C5-B210-CF2C75931770@microsoft.com... > Joe, > > Thanks for the feedback. Unfortunately I cannot run 2.0 on my production > servers, so I will have to wait for the AD security code. > > We tracked it down to a rights assignment not taking. After removing the > delegation and recreating it, the remote admins could join the machines to > the domain. > > We would still like to explicitly assign the rights to the groups, but I > (still) can't find the examples you mention in the MSDN. Do you have a > link? > > Jay > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Did you find a solution for this? I didn't see a reply. >> >> To modify the security descriptor in .NET 1.1, you need to do COM Interop >> with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs >> in >> MSDN. >> >> The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you >> want >> to use the beta or CTP though. :) >> >> Joe K. >> >> "Jay Armstrong" <JayArmstr***@discussions.microsoft.com> wrote in message >> news:37422076-E5D3-451A-B85F-8F73FBFD26C9@microsoft.com... >> >I am creating computer accounts from a web interface and need to set the >> > group that has the rights to join the computer to the domain (by >> > default >> > it >> > is Domain Admins). >> > >> > I can create the accounts, and join them as a domain admin. The problem >> > arises when the local administrators who have been delagated control to >> > thier >> > OU try to join the computer to the domain. They are recieveing an >> > Account >> > Exists error. >> > >> > This all works on my test domain with an account I have set up there, >> > but >> > fails on the live domain. >> > >> > I want to explicity assign Full Control of the computer account object >> > to >> > the local admins group for the OU to see if this will fix the problem. >> > >> > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method >> > but >> > can't find any documentation on it. (is it part of asp 2.0?) >> > >> > Any help is appreciated, >> > >> > Jay >> > >> > Here is my creation code: >> > >> > // Create the new Object >> > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + >> > MachineName, >> > SchemaName); >> > >> > // Create Computer Account >> > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$"); >> > NewComputer.Properties["description"].Add(MachDesc); >> > NewComputer.Properties["userAccountControl"].Add(AccountControl); >> > >> > // Save Computer Account >> > NewComputer.CommitChanges(); >> > >> > // Create routine to set group able to add the computer to the domain >> > // as the Designated OU Global Group >> > <!-- here is where I am having the problem --> >> > >> > NewComputer.Close(); >> > >> >> >> That looks like it will do it! Thanks. Good to know there are people like you
out there to help. I've done some of this in vbscript, but C# and .NET are new animals to me. I can get an ASP.NET website up and running, but the advanced stuff is still up the learning curve. I have some reading to do. Jay Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > This is the only SDS-specific sample: > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/security_descriptor_property_type.asp?frame=true > > The real body of the security stuff is in the AD SDK. You essentially need > to translate those from ADSI to SDS, but they are essentially the same. > They start here (probably read the whole thing twice :)): > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/controlling_access_to_active_directory_objects.asp?frame=true > > Generally, I try to avoid doing this stuff in code as much as possible as it > kind of sucks. However, when forced to do it, I generally try making the > changes in the UI first, dump out the resulting SD in code, then try to make > the same changes in code to get it working. If you need to play with the > inheritance settings, you need to mess with the flags (the "protected" flag > specifically) on the Control member on the SD. > > Best of luck. I'm sure you'll get this working eventually. > > Joe K. > > "Jay Armstrong" <JayArmstr***@discussions.microsoft.com> wrote in message > news:194459E4-4FC6-47C5-B210-CF2C75931770@microsoft.com... > > Joe, > > > > Thanks for the feedback. Unfortunately I cannot run 2.0 on my production > > servers, so I will have to wait for the AD security code. > > > > We tracked it down to a rights assignment not taking. After removing the > > delegation and recreating it, the remote admins could join the machines to > > the domain. > > > > We would still like to explicitly assign the rights to the groups, but I > > (still) can't find the examples you mention in the MSDN. Do you have a > > link? > > > > Jay > > > > "Joe Kaplan (MVP - ADSI)" wrote: > > > >> Did you find a solution for this? I didn't see a reply. > >> > >> To modify the security descriptor in .NET 1.1, you need to do COM Interop > >> with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs > >> in > >> MSDN. > >> > >> The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you > >> want > >> to use the beta or CTP though. :) > >> > >> Joe K. > >> > >> "Jay Armstrong" <JayArmstr***@discussions.microsoft.com> wrote in message > >> news:37422076-E5D3-451A-B85F-8F73FBFD26C9@microsoft.com... > >> >I am creating computer accounts from a web interface and need to set the > >> > group that has the rights to join the computer to the domain (by > >> > default > >> > it > >> > is Domain Admins). > >> > > >> > I can create the accounts, and join them as a domain admin. The problem > >> > arises when the local administrators who have been delagated control to > >> > thier > >> > OU try to join the computer to the domain. They are recieveing an > >> > Account > >> > Exists error. > >> > > >> > This all works on my test domain with an account I have set up there, > >> > but > >> > fails on the live domain. > >> > > >> > I want to explicity assign Full Control of the computer account object > >> > to > >> > the local admins group for the OU to see if this will fix the problem. > >> > > >> > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method > >> > but > >> > can't find any documentation on it. (is it part of asp 2.0?) > >> > > >> > Any help is appreciated, > >> > > >> > Jay > >> > > >> > Here is my creation code: > >> > > >> > // Create the new Object > >> > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + > >> > MachineName, > >> > SchemaName); > >> > > >> > // Create Computer Account > >> > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$"); > >> > NewComputer.Properties["description"].Add(MachDesc); > >> > NewComputer.Properties["userAccountControl"].Add(AccountControl); > >> > > >> > // Save Computer Account > >> > NewComputer.CommitChanges(); > >> > > >> > // Create routine to set group able to add the computer to the domain > >> > // as the Designated OU Global Group > >> > <!-- here is where I am having the problem --> > >> > > >> > NewComputer.Close(); > >> > > >> > >> > >> > > > 
Other interesting topics
Medium Level Trust and Reflection
API to access loaded assembly hash Method SetThreadPrincipal Make Security to Directory Forms authentication periodically requires re-login XmlSerialization of classes with declarative Security Troubleshoot Caspol System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, Publi Windows user controls in a web page: Security file access problem |
|||||||||||||||||||||||
