8.2. Creating a Computer for a Specific User or Group
Problem
You want to create a computer account for a specific user or group to join to the domain. This requires setting permissions on the computer account so the user or group can modify certain attributes.
Solution
Using a graphical user interface
Open the Active Directory Users and Computers snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container for the computer, right-click on it, and select New → Computer.
Enter the name of the computer.
Click the Change button.
Use the Object Picker to select a user or group to join the computer to the domain.
Click OK.
Using a command-line interface
In the following solution,
replace
<ComputerDN> with the distinguished
name of the computer object and
<UserOrGroup> with the user
principal name or NT-style name of a user or group you want to manage
the computer:
> dsadd computer <ComputerDN> > dsacls <ComputerDN> /G <UserOrGroup>:CALCGRSDDTRC;; > dsacls <ComputerDN> /G <UserOrGroup>:WP;description; > dsacls <ComputerDN> /G <UserOrGroup>:WP;sAMAccountName; > dsacls <ComputerDN> /G <UserOrGroup>:WP;displayName; > dsacls <ComputerDN> /G <UserOrGroup>:WP;"Logon Information"; > dsacls <ComputerDN> /G <UserOrGroup>:WP;"Account Restrictions"; > dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to service principal[RETURN] name"; > dsacls ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
