Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Advance configuration of ms-ds-machineAccountQuota
Advance configuration of ms-ds-machineAccountQuota [message #160230] Fri, 21 August 2009 07:42 Go to next message
PaulBUSAF  is currently offline PaulBUSAF
Messages: 2
Registered: August 2009
Junior Member
I have set ms-ds-machineAccountQuota to 0. However...one of my ~200+ Domain
Admin brethern continues to change it to astronomial numbers. Forgoing the
process of syphering through REPLMON and wrapping DC security logs, how can I
change that attribute in the Schema to either:

1. Be non-writeble once the correct value is set (i.e. 0)

OR

2. Make the minimum and maximum be 0

If either are accomplishable, are there any known "GOT'CHA(s)". Thanks, Paul
Re: Advance configuration of ms-ds-machineAccountQuota [message #160234 is a reply to message #160230] Fri, 21 August 2009 12:48 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Take away about 198 of the domain admins. Sounds like you just have a free
for all.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Paul B. (USAF)" <PaulBUSAF@discussions.microsoft.com> wrote in message
news:9B56B124-C255-474B-ABF7-6BE3C14B7F4C@microsoft.com...
>I have set ms-ds-machineAccountQuota to 0. However...one of my ~200+
>Domain
> Admin brethern continues to change it to astronomial numbers. Forgoing
> the
> process of syphering through REPLMON and wrapping DC security logs, how
> can I
> change that attribute in the Schema to either:
>
> 1. Be non-writeble once the correct value is set (i.e. 0)
>
> OR
>
> 2. Make the minimum and maximum be 0
>
> If either are accomplishable, are there any known "GOT'CHA(s)". Thanks,
> Paul
Re: Advance configuration of ms-ds-machineAccountQuota [message #160235 is a reply to message #160230] Fri, 21 August 2009 13:16 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
As Paul has stated, your problem is not related to ms-ds-machineAccountQuota
attribute, but to lack of proper delegation. Incidentally, a value of the
attribute itself is not relevant if the user account in which security
context an computer account is added has sufficient permissions to the
parent container - which is clearly the case in your environment...

hth
Marcin

"Paul B. (USAF)" <PaulBUSAF@discussions.microsoft.com> wrote in message
news:9B56B124-C255-474B-ABF7-6BE3C14B7F4C@microsoft.com...
>I have set ms-ds-machineAccountQuota to 0. However...one of my ~200+
>Domain
> Admin brethern continues to change it to astronomial numbers. Forgoing
> the
> process of syphering through REPLMON and wrapping DC security logs, how
> can I
> change that attribute in the Schema to either:
>
> 1. Be non-writeble once the correct value is set (i.e. 0)
>
> OR
>
> 2. Make the minimum and maximum be 0
>
> If either are accomplishable, are there any known "GOT'CHA(s)". Thanks,
> Paul
Re: Advance configuration of ms-ds-machineAccountQuota [message #160236 is a reply to message #160230] Fri, 21 August 2009 13:49 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Paul B. (USAF)" <PaulBUSAF@discussions.microsoft.com> wrote in message
news:9B56B124-C255-474B-ABF7-6BE3C14B7F4C@microsoft.com...
>I have set ms-ds-machineAccountQuota to 0. However...one of my ~200+
>Domain
> Admin brethern continues to change it to astronomial numbers. Forgoing
> the
> process of syphering through REPLMON and wrapping DC security logs, how
> can I
> change that attribute in the Schema to either:
>
> 1. Be non-writeble once the correct value is set (i.e. 0)
>
> OR
>
> 2. Make the minimum and maximum be 0
>
> If either are accomplishable, are there any known "GOT'CHA(s)". Thanks,
> Paul


Let me understand this - You are in an environment that you've given, or
your IT Directory or Manager has given total Domain Admin rights to 200
administrators?
Wow! Not to sound too surprising, but in all the large environments I've
worked, this is the first I'm hearing of such a scenario. Usually admins are
delegated to specific OUs whereas the IT Manager or someone in charge, has
complete control of the whole environment.

That's the problem. I guess there are no rules governing change management
in the org? With that many admins, I would assume there would be some
guidelines in place, change management & approval, SLAs, and stipulations in
place.

Too many chefs and not enough cooks...

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Advance configuration of ms-ds-machineAccountQuota [message #160237 is a reply to message #160236] Fri, 21 August 2009 14:36 Go to previous messageGo to next message
PaulBUSAF  is currently offline PaulBUSAF
Messages: 2
Registered: August 2009
Junior Member
Gents,

You are all right...I agree. Trust me...I am battle-hardened to that fact
and I keep plucking them out. However, my problem still remains. It's not
the admins adding the computers...it's the normal user once the bit is
changed from 0 to whatever. If I can modify the attribute in the Schema
(which thankfully only I and two others are members), then I may have a
fighting chance.

And yes...800K users world-wide in a single domain. Delegation model is a
priority.

"Ace Fekay [MCT]" wrote:

> "Paul B. (USAF)" <PaulBUSAF@discussions.microsoft.com> wrote in message
> news:9B56B124-C255-474B-ABF7-6BE3C14B7F4C@microsoft.com...
> >I have set ms-ds-machineAccountQuota to 0. However...one of my ~200+
> >Domain
> > Admin brethern continues to change it to astronomial numbers. Forgoing
> > the
> > process of syphering through REPLMON and wrapping DC security logs, how
> > can I
> > change that attribute in the Schema to either:
> >
> > 1. Be non-writeble once the correct value is set (i.e. 0)
> >
> > OR
> >
> > 2. Make the minimum and maximum be 0
> >
> > If either are accomplishable, are there any known "GOT'CHA(s)". Thanks,
> > Paul
>
>
> Let me understand this - You are in an environment that you've given, or
> your IT Directory or Manager has given total Domain Admin rights to 200
> administrators?
> Wow! Not to sound too surprising, but in all the large environments I've
> worked, this is the first I'm hearing of such a scenario. Usually admins are
> delegated to specific OUs whereas the IT Manager or someone in charge, has
> complete control of the whole environment.
>
> That's the problem. I guess there are no rules governing change management
> in the org? With that many admins, I would assume there would be some
> guidelines in place, change management & approval, SLAs, and stipulations in
> place.
>
> Too many chefs and not enough cooks...
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
Re: Advance configuration of ms-ds-machineAccountQuota [message #160240 is a reply to message #160237] Fri, 21 August 2009 17:39 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Paul B. (USAF)" <PaulBUSAF@discussions.microsoft.com> wrote in message
news:A6B0256F-916C-4070-BCCB-C96D0DCADC8F@microsoft.com...
> Gents,
>
> You are all right...I agree. Trust me...I am battle-hardened to that fact
> and I keep plucking them out. However, my problem still remains. It's
> not
> the admins adding the computers...it's the normal user once the bit is
> changed from 0 to whatever. If I can modify the attribute in the Schema
> (which thankfully only I and two others are members), then I may have a
> fighting chance.
>
> And yes...800K users world-wide in a single domain. Delegation model is a
> priority.
>


That's a pretty large organization. Surprised something wasn't put in place
years ago.

The Schema can be looked at as the DNA of the forest. It defines the type of
objects that can be created, and what attributes can be associated with an
object. There are objects (or also looked at as object classes), as well as
child objects. One good example I recite when teaching an AD class, is the
Big Mac. You remember the old McDona'ds commercial song, Two All beef
patties, special sauce, lettuce, cheese, pickles, onions on a sesame seed
bun. Basically it's a child object. The parent object is a hamburger, which
would be the object class, with predefined Must Have attributes, a bun and a
beef patty. Then there are optional May Contain attributes, such as cheese,
onions, and whatever other attributes you would define. You can then create
pre-defined child objects of the parent, such as getting back to the Big
Mac. It's predefined with Must Contains with the list in the song.

Anyway, getting back to your question about predefining a value for the
attribute, no, that as far as I know, cannot be done in the Schema. The
Schema just defines the type of objects, whereas in a directory enabled
application, such as AD, Exchange, etc, you can define values for the
object, as you would within ADSI Edit for the ms-ds-machineAccountQuota.

My feeling is if all the users are domain admins, you can continue to keep
them as such, but what I may suggest, if you can get away with it or
implement it, is create a domain admin group (whatever you want to call it),
then delegate it at the domain level to be able to perform certain or even
all functions, but not allowed to change domain attributes, then one day on
each account, remove them from the Domain Admins group, and add them to the
new group you defined. They will not notice any difference unless someone
tries to go into ADSI Edit to change any attributes, where they will be
denied.

Ace
Previous Topic:AD-ADAM Sync
Next Topic:win2k3 LDAP
Goto Forum:
  


Current Time: Wed Jan 17 05:52:36 MST 2018

Total time taken to generate the page: 0.02163 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software