September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
8.2. Creating a Computer for a Specific User or Group
Problem
You want to create a computer account for a specific user or group to join to the domain. This requires setting permissions on the computer account so the user or group can modify certain attributes.
Solution
Using a graphical user interface
Open the Active Directory Users and Computers snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container for the computer, right-click on it, and select New → Computer.
Enter the name of the computer.
Click the Change button.
Use the Object Picker to select a user or group to join the computer to the domain.
Click OK.
Using a command-line interface
In the following solution,
replace
<ComputerDN> with the distinguished
name of the computer object and
<UserOrGroup> with the user
principal name or NT-style name of a user or group you want to manage
the computer:
> dsadd computer <ComputerDN> > dsacls <ComputerDN> /G <UserOrGroup>:CALCGRSDDTRC;; > dsacls <ComputerDN> /G <UserOrGroup>:WP;description; > dsacls <ComputerDN> /G <UserOrGroup>:WP;sAMAccountName; > dsacls <ComputerDN> /G <UserOrGroup>:WP;displayName; > dsacls <ComputerDN> /G <UserOrGroup>:WP;"Logon Information"; > dsacls <ComputerDN> /G <UserOrGroup>:WP;"Account Restrictions"; > dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to service principal[RETURN] name"; > dsacls ...