+ Reply to Thread
Results 1 to 9 of 9
  1. Mr. Poopy Pants
    Join Date
    Dec 2009
    Location
    Fort Lauderdale, FL
    Posts
    133

    Certifications
    MCP, MCDST, HDI-SCA, Network+, MCTS: W7C, MCITP: EDST7, BS: MIS, MCSA: W7
    #1

    Default Real world: Changing default permissions for a computer newly joined to a domain

    Hi everyone,

    Not sure whether this belongs in 70-290 or 70-294, but I thought I'd give it a try here; I apologize in advance if my question isn't clear.

    I'm trying to set the default security for computer objects that are newly joined to the domain.

    Currently, the default behavior is such that a help desk user that joins a computer to our domain has the ability to rejoin the computer to the domain without having to delete the computer account from AD first. All other help desk/technicians must delete the computer object, join a workgroup, reboot, rejoin to the domain and reboot again.

    Is there a place/setting that I can change to allow all tech users to rejoin computers without having to delete the computer object in AD and reboot twice before being able to rejoin the domain?
    Last edited by eserfeliz; 11-19-2010 at 01:20 PM. Reason: Punctuation
    Reply With Quote Quote  

  2. SS -->
  3. Junior Member
    Join Date
    Apr 2009
    Posts
    22

    Certifications
    Security+, MCP(270/290)
    #2
    Is there a reason your help desk staff need to be able to remove the computer from the domain once joined, then rejoin? What is the error they get if they don't delete from AD and try to rejoin?
    Reply With Quote Quote  

  4. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #3
    TBH real world techs do not join computers to the domain as it is scripted/automated into the build process. if using RIS the guid is an atribute in the computer object, in the MDT and SCCM you have a database that holds that info but either way you never want that info deleted.
    Reply With Quote Quote  

  5. Mr. Poopy Pants
    Join Date
    Dec 2009
    Location
    Fort Lauderdale, FL
    Posts
    133

    Certifications
    MCP, MCDST, HDI-SCA, Network+, MCTS: W7C, MCITP: EDST7, BS: MIS, MCSA: W7
    #4
    Quote Originally Posted by pmmcateer View Post
    Is there a reason your help desk staff need to be able to remove the computer from the domain once joined, then rejoin? What is the error they get if they don't delete from AD and try to rejoin?
    They receive the error:

    The following error occurred attempting to join the domain "<domain>"

    Access is denied.

    So we currently have to delete the computer record from AD, change the client to a workgroup computer, reboot, join the computer to the domain, and reboot. I don't want a new SID generated if we have to reimage the machines, I just want them to be able to rejoin the domain using the existing Computer object.
    Reply With Quote Quote  

  6. Mr. Poopy Pants
    Join Date
    Dec 2009
    Location
    Fort Lauderdale, FL
    Posts
    133

    Certifications
    MCP, MCDST, HDI-SCA, Network+, MCTS: W7C, MCITP: EDST7, BS: MIS, MCSA: W7
    #5
    Quote Originally Posted by Mojo_666 View Post
    TBH real world techs do not join computers to the domain as it is scripted/automated into the build process. if using RIS the guid is an atribute in the computer object, in the MDT and SCCM you have a database that holds that info but either way you never want that info deleted.
    I got it, but our shop is a little backwards: we're just starting to use SCCM to do deployments. Even using SCCM, we still need to delete the computer object, or else the script fails to rejoin the computer to the domain successfully, hence, the manual process.

    Can you tell me where these permissions are set/delegated? Do I need to create a GPO to do this?
    Reply With Quote Quote  

  7. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #6
    Quote Originally Posted by eserfeliz View Post

    Can you tell me where these permissions are set/delegated? Do I need to create a GPO to do this?
    Well tbh I do not quite get what you want to do exactly but you can set permissions over AD objects such as users, computers, groups and OU's etc by selecting the "advanced" view and modifying the security permission as you would do with any other object, that is how I administer my support people and assign perms to build/instal/service accounts.
    Reply With Quote Quote  

  8. Mr. Poopy Pants
    Join Date
    Dec 2009
    Location
    Fort Lauderdale, FL
    Posts
    133

    Certifications
    MCP, MCDST, HDI-SCA, Network+, MCTS: W7C, MCITP: EDST7, BS: MIS, MCSA: W7
    #7
    Quote Originally Posted by Mojo_666 View Post
    Well tbh I do not quite get what you want to do exactly but you can set permissions over AD objects such as users, computers, groups and OU's etc by selecting the "advanced" view and modifying the security permission as you would do with any other object, that is how I administer my support people and assign perms to build/instal/service accounts.
    I was thinking less managing permissions on an object-by-object basis, more of changing the permissions for what will be the default every time a computer object is created.
    Reply With Quote Quote  

  9. Still a noob earweed's Avatar
    Join Date
    Mar 2010
    Location
    Mobile, Alabama
    Posts
    5,176

    Certifications
    BSIT, Proj+, A+, Net+, Sec+: MCTS: X5; MCITP:EA
    #8
    You may be better served by prestaging your computers in AD.Prestaging Client Computers

    As far as how to move them and how to grant permission to those who should be able to move them (from the computer container to the appropriate OU or group)
    How to Grant Permission to Move Computer Accounts to a User or Group

    By default when you join a computer to AD it is added to the computers container.
    Hope this helps

    I'm not sure why exactly your helpdesk people have to join computers to a workgroup in order to be placed in the correct OU or group. My only guess is that they don't have permission to move the computers in AD and that is what I've addressed.
    Last edited by earweed; 11-20-2010 at 12:55 PM.
    No longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives.
    Reply With Quote Quote  

  10. Mr. Poopy Pants
    Join Date
    Dec 2009
    Location
    Fort Lauderdale, FL
    Posts
    133

    Certifications
    MCP, MCDST, HDI-SCA, Network+, MCTS: W7C, MCITP: EDST7, BS: MIS, MCSA: W7
    #9
    Quote Originally Posted by earweed View Post
    You may be better served by prestaging your computers in AD.Prestaging Client Computers

    As far as how to move them and how to grant permission to those who should be able to move them (from the computer container to the appropriate OU or group)
    How to Grant Permission to Move Computer Accounts to a User or Group

    By default when you join a computer to AD it is added to the computers container.
    Hope this helps

    I'm not sure why exactly your helpdesk people have to join computers to a workgroup in order to be placed in the correct OU or group. My only guess is that they don't have permission to move the computers in AD and that is what I've addressed.
    Man, earweed, thanks for this. Seems so easy!
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks