Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Active Directory Machine Account Permissions

Reply
Thread Tools

Active Directory Machine Account Permissions

 
 
Jay Armstrong
Guest
Posts: n/a
 
      02-28-2005
I am creating computer accounts from a web interface and need to set the
group that has the rights to join the computer to the domain (by default it
is Domain Admins).

I can create the accounts, and join them as a domain admin. The problem
arises when the local administrators who have been delagated control to thier
OU try to join the computer to the domain. They are recieveing an Account
Exists error.

This all works on my test domain with an account I have set up there, but
fails on the live domain.

I want to explicity assign Full Control of the computer account object to
the local admins group for the OU to see if this will fix the problem.

I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method but
can't find any documentation on it. (is it part of asp 2.0?)

Any help is appreciated,

Jay

Here is my creation code:

// Create the new Object
DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
SchemaName);

// Create Computer Account
NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
NewComputer.Properties["description"].Add(MachDesc);
NewComputer.Properties["userAccountControl"].Add(AccountControl);

// Save Computer Account
NewComputer.CommitChanges();

// Create routine to set group able to add the computer to the domain
// as the Designated OU Global Group
<!-- here is where I am having the problem -->

NewComputer.Close();

 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      03-10-2005
Did you find a solution for this? I didn't see a reply.

To modify the security descriptor in .NET 1.1, you need to do COM Interop
with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs in
MSDN.

The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you want
to use the beta or CTP though.

Joe K.

"Jay Armstrong" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am creating computer accounts from a web interface and need to set the
> group that has the rights to join the computer to the domain (by default
> it
> is Domain Admins).
>
> I can create the accounts, and join them as a domain admin. The problem
> arises when the local administrators who have been delagated control to
> thier
> OU try to join the computer to the domain. They are recieveing an Account
> Exists error.
>
> This all works on my test domain with an account I have set up there, but
> fails on the live domain.
>
> I want to explicity assign Full Control of the computer account object to
> the local admins group for the OU to see if this will fix the problem.
>
> I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
> but
> can't find any documentation on it. (is it part of asp 2.0?)
>
> Any help is appreciated,
>
> Jay
>
> Here is my creation code:
>
> // Create the new Object
> DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
> SchemaName);
>
> // Create Computer Account
> NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
> NewComputer.Properties["description"].Add(MachDesc);
> NewComputer.Properties["userAccountControl"].Add(AccountControl);
>
> // Save Computer Account
> NewComputer.CommitChanges();
>
> // Create routine to set group able to add the computer to the domain
> // as the Designated OU Global Group
> <!-- here is where I am having the problem -->
>
> NewComputer.Close();
>



 
Reply With Quote
 
 
 
 
Jay Armstrong
Guest
Posts: n/a
 
      03-14-2005
Joe,

Thanks for the feedback. Unfortunately I cannot run 2.0 on my production
servers, so I will have to wait for the AD security code.

We tracked it down to a rights assignment not taking. After removing the
delegation and recreating it, the remote admins could join the machines to
the domain.

We would still like to explicitly assign the rights to the groups, but I
(still) can't find the examples you mention in the MSDN. Do you have a link?

Jay

"Joe Kaplan (MVP - ADSI)" wrote:

> Did you find a solution for this? I didn't see a reply.
>
> To modify the security descriptor in .NET 1.1, you need to do COM Interop
> with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs in
> MSDN.
>
> The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you want
> to use the beta or CTP though.
>
> Joe K.
>
> "Jay Armstrong" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I am creating computer accounts from a web interface and need to set the
> > group that has the rights to join the computer to the domain (by default
> > it
> > is Domain Admins).
> >
> > I can create the accounts, and join them as a domain admin. The problem
> > arises when the local administrators who have been delagated control to
> > thier
> > OU try to join the computer to the domain. They are recieveing an Account
> > Exists error.
> >
> > This all works on my test domain with an account I have set up there, but
> > fails on the live domain.
> >
> > I want to explicity assign Full Control of the computer account object to
> > the local admins group for the OU to see if this will fix the problem.
> >
> > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
> > but
> > can't find any documentation on it. (is it part of asp 2.0?)
> >
> > Any help is appreciated,
> >
> > Jay
> >
> > Here is my creation code:
> >
> > // Create the new Object
> > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" + MachineName,
> > SchemaName);
> >
> > // Create Computer Account
> > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
> > NewComputer.Properties["description"].Add(MachDesc);
> > NewComputer.Properties["userAccountControl"].Add(AccountControl);
> >
> > // Save Computer Account
> > NewComputer.CommitChanges();
> >
> > // Create routine to set group able to add the computer to the domain
> > // as the Designated OU Global Group
> > <!-- here is where I am having the problem -->
> >
> > NewComputer.Close();
> >

>
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      03-14-2005
This is the only SDS-specific sample:

http://msdn.microsoft.com/library/de...asp?frame=true

The real body of the security stuff is in the AD SDK. You essentially need
to translate those from ADSI to SDS, but they are essentially the same.
They start here (probably read the whole thing twice ):

http://msdn.microsoft.com/library/de...asp?frame=true

Generally, I try to avoid doing this stuff in code as much as possible as it
kind of sucks. However, when forced to do it, I generally try making the
changes in the UI first, dump out the resulting SD in code, then try to make
the same changes in code to get it working. If you need to play with the
inheritance settings, you need to mess with the flags (the "protected" flag
specifically) on the Control member on the SD.

Best of luck. I'm sure you'll get this working eventually.

Joe K.

"Jay Armstrong" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Joe,
>
> Thanks for the feedback. Unfortunately I cannot run 2.0 on my production
> servers, so I will have to wait for the AD security code.
>
> We tracked it down to a rights assignment not taking. After removing the
> delegation and recreating it, the remote admins could join the machines to
> the domain.
>
> We would still like to explicitly assign the rights to the groups, but I
> (still) can't find the examples you mention in the MSDN. Do you have a
> link?
>
> Jay
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Did you find a solution for this? I didn't see a reply.
>>
>> To modify the security descriptor in .NET 1.1, you need to do COM Interop
>> with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs
>> in
>> MSDN.
>>
>> The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you
>> want
>> to use the beta or CTP though.
>>
>> Joe K.
>>
>> "Jay Armstrong" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> >I am creating computer accounts from a web interface and need to set the
>> > group that has the rights to join the computer to the domain (by
>> > default
>> > it
>> > is Domain Admins).
>> >
>> > I can create the accounts, and join them as a domain admin. The problem
>> > arises when the local administrators who have been delagated control to
>> > thier
>> > OU try to join the computer to the domain. They are recieveing an
>> > Account
>> > Exists error.
>> >
>> > This all works on my test domain with an account I have set up there,
>> > but
>> > fails on the live domain.
>> >
>> > I want to explicity assign Full Control of the computer account object
>> > to
>> > the local admins group for the OU to see if this will fix the problem.
>> >
>> > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
>> > but
>> > can't find any documentation on it. (is it part of asp 2.0?)
>> >
>> > Any help is appreciated,
>> >
>> > Jay
>> >
>> > Here is my creation code:
>> >
>> > // Create the new Object
>> > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" +
>> > MachineName,
>> > SchemaName);
>> >
>> > // Create Computer Account
>> > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
>> > NewComputer.Properties["description"].Add(MachDesc);
>> > NewComputer.Properties["userAccountControl"].Add(AccountControl);
>> >
>> > // Save Computer Account
>> > NewComputer.CommitChanges();
>> >
>> > // Create routine to set group able to add the computer to the domain
>> > // as the Designated OU Global Group
>> > <!-- here is where I am having the problem -->
>> >
>> > NewComputer.Close();
>> >

>>
>>
>>



 
Reply With Quote
 
Jay Armstrong
Guest
Posts: n/a
 
      03-15-2005
That looks like it will do it! Thanks. Good to know there are people like you
out there to help.

I've done some of this in vbscript, but C# and .NET are new animals to me. I
can get an ASP.NET website up and running, but the advanced stuff is still up
the learning curve.

I have some reading to do.

Jay

"Joe Kaplan (MVP - ADSI)" wrote:

> This is the only SDS-specific sample:
>
> http://msdn.microsoft.com/library/de...asp?frame=true
>
> The real body of the security stuff is in the AD SDK. You essentially need
> to translate those from ADSI to SDS, but they are essentially the same.
> They start here (probably read the whole thing twice ):
>
> http://msdn.microsoft.com/library/de...asp?frame=true
>
> Generally, I try to avoid doing this stuff in code as much as possible as it
> kind of sucks. However, when forced to do it, I generally try making the
> changes in the UI first, dump out the resulting SD in code, then try to make
> the same changes in code to get it working. If you need to play with the
> inheritance settings, you need to mess with the flags (the "protected" flag
> specifically) on the Control member on the SD.
>
> Best of luck. I'm sure you'll get this working eventually.
>
> Joe K.
>
> "Jay Armstrong" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Joe,
> >
> > Thanks for the feedback. Unfortunately I cannot run 2.0 on my production
> > servers, so I will have to wait for the AD security code.
> >
> > We tracked it down to a rights assignment not taking. After removing the
> > delegation and recreating it, the remote admins could join the machines to
> > the domain.
> >
> > We would still like to explicitly assign the rights to the groups, but I
> > (still) can't find the examples you mention in the MSDN. Do you have a
> > link?
> >
> > Jay
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> Did you find a solution for this? I didn't see a reply.
> >>
> >> To modify the security descriptor in .NET 1.1, you need to do COM Interop
> >> with the IADsSecurityDescriptor. There are samples in the S.DS SDK docs
> >> in
> >> MSDN.
> >>
> >> The ActiveDirectorySecurity stuff is indeed .NET 2.0. It works if you
> >> want
> >> to use the beta or CTP though.
> >>
> >> Joe K.
> >>
> >> "Jay Armstrong" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> >I am creating computer accounts from a web interface and need to set the
> >> > group that has the rights to join the computer to the domain (by
> >> > default
> >> > it
> >> > is Domain Admins).
> >> >
> >> > I can create the accounts, and join them as a domain admin. The problem
> >> > arises when the local administrators who have been delagated control to
> >> > thier
> >> > OU try to join the computer to the domain. They are recieveing an
> >> > Account
> >> > Exists error.
> >> >
> >> > This all works on my test domain with an account I have set up there,
> >> > but
> >> > fails on the live domain.
> >> >
> >> > I want to explicity assign Full Control of the computer account object
> >> > to
> >> > the local admins group for the OU to see if this will fix the problem.
> >> >
> >> > I have tried to use the NewComputer.ObjectSecurity.AddAccessRule method
> >> > but
> >> > can't find any documentation on it. (is it part of asp 2.0?)
> >> >
> >> > Any help is appreciated,
> >> >
> >> > Jay
> >> >
> >> > Here is my creation code:
> >> >
> >> > // Create the new Object
> >> > DirectoryEntry NewComputer = DirLocation.Children.Add("cn=" +
> >> > MachineName,
> >> > SchemaName);
> >> >
> >> > // Create Computer Account
> >> > NewComputer.Properties["sAMAccountName"].Add(MachineName + "$");
> >> > NewComputer.Properties["description"].Add(MachDesc);
> >> > NewComputer.Properties["userAccountControl"].Add(AccountControl);
> >> >
> >> > // Save Computer Account
> >> > NewComputer.CommitChanges();
> >> >
> >> > // Create routine to set group able to add the computer to the domain
> >> > // as the Designated OU Global Group
> >> > <!-- here is where I am having the problem -->
> >> >
> >> > NewComputer.Close();
> >> >
> >>
> >>
> >>

>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory, User Permissions, and .NET? Spam Catcher ASP .Net 4 04-21-2008 07:24 PM
VPN account PIX w/ active directory vhn2001 Cisco 0 09-07-2006 07:49 PM
Active Directory - Groups and Permissions Scott ASP .Net 2 05-16-2006 07:01 PM
Account Permissions to query Active Directory Keith F. ASP .Net Security 2 04-25-2006 02:29 AM
Permissions for access to Active Directory (CAS) Taras Overchuk ASP .Net Security 0 10-31-2003 04:22 PM



Advertisments