Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Strategy to Join Computers to Domain
Strategy to Join Computers to Domain [message #160653] Thu, 03 September 2009 11:43 Go to next message
Luiz  is currently offline Luiz
Messages: 119
Registered: July 2009
Senior Member
Hi,

I would like an advice about how can I permit some users to join more than
10 computers in the domain.
I intend to create a Group, put some users in it and create a GPO to permit
the users form that new Group put more than 10 computers in the domain.
I think that strategy is better than Delegation because I can get control
about the policy.
My doubt is where I link the GPO, is in Domain level or Domain Controller
level?

If anyone could help me I appreciate.

Thanks.

Luiz
Re: Strategy to Join Computers to Domain [message #160659 is a reply to message #160653] Thu, 03 September 2009 13:35 Go to previous messageGo to next message
JPolicelliMVPDS  is currently offline JPolicelliMVPDS
Messages: 4
Registered: August 2009
Junior Member
I would disagree with your approach because this permits members of this
group to add computers to the default Computers container. You would then
require another process (manual or automated) to move these computers to
another OU. If you go with a delegation model you can control which OUs the
computer can be created in when they are added. The following article should
be useful to you:
http://www.microsoft.com/downloads/details.aspx?FamilyID=631 747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en.

--

JPolicelli, MVP - Directory Services

http://www.policelli.com
http://policelli.com/blog

This posting is provided AS IS with no warranties and confers no rights.
Always plan and test.

----

"Luiz" <Luiz@discussions.microsoft.com> wrote in message
news:357BD7C2-2F3C-48D2-A0FB-FE158174EDE8@microsoft.com...
> Hi,
>
> I would like an advice about how can I permit some users to join more than
> 10 computers in the domain.
> I intend to create a Group, put some users in it and create a GPO to
> permit
> the users form that new Group put more than 10 computers in the domain.
> I think that strategy is better than Delegation because I can get control
> about the policy.
> My doubt is where I link the GPO, is in Domain level or Domain Controller
> level?
>
> If anyone could help me I appreciate.
>
> Thanks.
>
> Luiz
>
Re: Strategy to Join Computers to Domain [message #160661 is a reply to message #160659] Thu, 03 September 2009 13:44 Go to previous messageGo to next message
Luiz  is currently offline Luiz
Messages: 119
Registered: July 2009
Senior Member
Hi JPolicelli,

thanks for your advice.

Best Regards.

Luiz

"JPolicelli [MVP-DS]" wrote:

> I would disagree with your approach because this permits members of this
> group to add computers to the default Computers container. You would then
> require another process (manual or automated) to move these computers to
> another OU. If you go with a delegation model you can control which OUs the
> computer can be created in when they are added. The following article should
> be useful to you:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=631 747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en.
>
> --
>
> JPolicelli, MVP - Directory Services
>
> http://www.policelli.com
> http://policelli.com/blog
>
> This posting is provided AS IS with no warranties and confers no rights.
> Always plan and test.
>
> ----
>
> "Luiz" <Luiz@discussions.microsoft.com> wrote in message
> news:357BD7C2-2F3C-48D2-A0FB-FE158174EDE8@microsoft.com...
> > Hi,
> >
> > I would like an advice about how can I permit some users to join more than
> > 10 computers in the domain.
> > I intend to create a Group, put some users in it and create a GPO to
> > permit
> > the users form that new Group put more than 10 computers in the domain.
> > I think that strategy is better than Delegation because I can get control
> > about the policy.
> > My doubt is where I link the GPO, is in Domain level or Domain Controller
> > level?
> >
> > If anyone could help me I appreciate.
> >
> > Thanks.
> >
> > Luiz
> >
Re: Strategy to Join Computers to Domain [message #160662 is a reply to message #160653] Thu, 03 September 2009 13:56 Go to previous messageGo to next message
Cary Shultz  is currently offline Cary Shultz  United States
Messages: 127
Registered: August 2009
Senior Member
Luiz,

Create that group, open up ADSIEdit and go to the DC=yourdomain,DC=local
part and right click. Look for the ms-ds-machineaccountquota entry. You
will see a "10" in there. That is the default and I would probably not
change it.

Okay...now, that did not really answer your question...I just wanted you to
see where the value of "10" lives and where you would need to go if you
*should ever* want to change it.

On a Domain Controller if you wanted to change/control who can actually add
workstations to the domain then you would need to look at the Users Rights
Assignments. This is part of the Default Domain Controller Policy. You
will see the "Add workstations to the domain" entry in there and the
associated value is going to be "Authenticated Users". You could change
this accordingly.

Another thing that you could do would be to delegate this. The Delegation
Wizard can help you with this if you do not want to mess with dsacls
yourself!

HTH,

Cary
"Luiz" <Luiz@discussions.microsoft.com> wrote in message
news:357BD7C2-2F3C-48D2-A0FB-FE158174EDE8@microsoft.com...
> Hi,
>
> I would like an advice about how can I permit some users to join more than
> 10 computers in the domain.
> I intend to create a Group, put some users in it and create a GPO to
> permit
> the users form that new Group put more than 10 computers in the domain.
> I think that strategy is better than Delegation because I can get control
> about the policy.
> My doubt is where I link the GPO, is in Domain level or Domain Controller
> level?
>
> If anyone could help me I appreciate.
>
> Thanks.
>
> Luiz
>
Re: Strategy to Join Computers to Domain [message #160664 is a reply to message #160662] Thu, 03 September 2009 14:06 Go to previous messageGo to next message
Luiz  is currently offline Luiz
Messages: 119
Registered: July 2009
Senior Member
Hi Cary,

thank you for your help.


Best Regards.


Luiz

"Cary Shultz" wrote:

> Luiz,
>
> Create that group, open up ADSIEdit and go to the DC=yourdomain,DC=local
> part and right click. Look for the ms-ds-machineaccountquota entry. You
> will see a "10" in there. That is the default and I would probably not
> change it.
>
> Okay...now, that did not really answer your question...I just wanted you to
> see where the value of "10" lives and where you would need to go if you
> *should ever* want to change it.
>
> On a Domain Controller if you wanted to change/control who can actually add
> workstations to the domain then you would need to look at the Users Rights
> Assignments. This is part of the Default Domain Controller Policy. You
> will see the "Add workstations to the domain" entry in there and the
> associated value is going to be "Authenticated Users". You could change
> this accordingly.
>
> Another thing that you could do would be to delegate this. The Delegation
> Wizard can help you with this if you do not want to mess with dsacls
> yourself!
>
> HTH,
>
> Cary
> "Luiz" <Luiz@discussions.microsoft.com> wrote in message
> news:357BD7C2-2F3C-48D2-A0FB-FE158174EDE8@microsoft.com...
> > Hi,
> >
> > I would like an advice about how can I permit some users to join more than
> > 10 computers in the domain.
> > I intend to create a Group, put some users in it and create a GPO to
> > permit
> > the users form that new Group put more than 10 computers in the domain.
> > I think that strategy is better than Delegation because I can get control
> > about the policy.
> > My doubt is where I link the GPO, is in Domain level or Domain Controller
> > level?
> >
> > If anyone could help me I appreciate.
> >
> > Thanks.
> >
> > Luiz
> >
>
>
Re: Strategy to Join Computers to Domain [message #160676 is a reply to message #160653] Fri, 04 September 2009 01:18 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Luiz,

Use delegate control, here are some good examples:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369. aspx

If you don't like it, change the default setting from 10:
http://support.microsoft.com/kb/243327/en-us

Also see:
http://support.microsoft.com/kb/932455

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> I would like an advice about how can I permit some users to join more
> than
> 10 computers in the domain.
> I intend to create a Group, put some users in it and create a GPO to
> permit
> the users form that new Group put more than 10 computers in the
> domain.
> I think that strategy is better than Delegation because I can get
> control
> about the policy.
> My doubt is where I link the GPO, is in Domain level or Domain
> Controller
> level?
> If anyone could help me I appreciate.
>
> Thanks.
>
> Luiz
>
Re: Strategy to Join Computers to Domain [message #160680 is a reply to message #160676] Fri, 04 September 2009 07:10 Go to previous message
Luiz  is currently offline Luiz
Messages: 119
Registered: July 2009
Senior Member
Hi Meinolf,

thanks for the help.

Best Regards.


Luiz Felipe

"Meinolf Weber [MVP-DS]" wrote:

> Hello Luiz,
>
> Use delegate control, here are some good examples:
> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369. aspx
>
> If you don't like it, change the default setting from 10:
> http://support.microsoft.com/kb/243327/en-us
>
> Also see:
> http://support.microsoft.com/kb/932455
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi,
> >
> > I would like an advice about how can I permit some users to join more
> > than
> > 10 computers in the domain.
> > I intend to create a Group, put some users in it and create a GPO to
> > permit
> > the users form that new Group put more than 10 computers in the
> > domain.
> > I think that strategy is better than Delegation because I can get
> > control
> > about the policy.
> > My doubt is where I link the GPO, is in Domain level or Domain
> > Controller
> > level?
> > If anyone could help me I appreciate.
> >
> > Thanks.
> >
> > Luiz
> >
>
>
>
Previous Topic:Default Domain Controller
Next Topic:IP Change for DC
Goto Forum:
  


Current Time: Tue Jan 23 16:36:48 MST 2018

Total time taken to generate the page: 0.16488 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software