asked on delegating rights to computer accounts to create objects in Active Directory
Hey,
Is it possible to delegate rights to computer accounts to create objects in Active Directory. Looking at a particular automation scenario....
Is it possible to delegate rights to computer accounts to create objects in Active Directory. Looking at a particular automation scenario....
Active DirectoryWindows Server 2012
Last Comment
cmatchett
ASKER
thanks for the quick response. I have never come across any technical documentation that advises than you can use computer accounts to perform actions against AD
I was just about to type no, but Will has thrown me there
You can't do it via the delegation of control wizard as it is only users and groups there so it must be at the ACL level....I need to go find a DC and take a look!
You can't do it via the delegation of control wizard as it is only users and groups there so it must be at the ACL level....I need to go find a DC and take a look!
ASKER
hey dleaver,
when you use the delegation of control wizard, you can choose individual computer accounts. Whether or not this works when u use computer accounts is another story.
when you use the delegation of control wizard, you can choose individual computer accounts. Whether or not this works when u use computer accounts is another story.
So you can (just didn't adjust the lookup to include computers), you can also apply the permissions manually through the ACL tab on the OU - But I don't have capacity to check this right now to see if this actually grants the rights expected.
ASKER
how would you go about testing this?
Tricky, couple of options spring to mind...
Install RSAT tools for AD on the computer you want to have delegated rights. Delegate the permissions through the wizard to the computer or manually as required (potential reboot required)
Login in as a non-admin user and see if the delegated rights work from that PC....seems unlikely.
Alternatively use DS tools with the -u switch accompanied by the name of the Computer (potentially computer$) - I imagine this would work more as a scripted task with the computer object as the authorised object
Not sure whether any further delegation may be need to be applied on the computer object itself (such as trusting it for delegation like you would for other services)
Comes down to what you are using this for...
Install RSAT tools for AD on the computer you want to have delegated rights. Delegate the permissions through the wizard to the computer or manually as required (potential reboot required)
Login in as a non-admin user and see if the delegated rights work from that PC....seems unlikely.
Alternatively use DS tools with the -u switch accompanied by the name of the Computer (potentially computer$) - I imagine this would work more as a scripted task with the computer object as the authorised object
Not sure whether any further delegation may be need to be applied on the computer object itself (such as trusting it for delegation like you would for other services)
Comes down to what you are using this for...
"how would you go about testing this" - easy.
Delegate the permissions to computer account "test".
Logon to test as local admin.
Download and extract pstools (microsoft freeware) to c:\pstools
Open an elevated command prompt and enter: psexec -s -i cmd
-a new shell opens with system rights, you now act as the computer-
now launch: net user /add testuser testpw /domain
(Of course this will only work if you have set these permission on the container "computers" in AD which is the default container for new accounts)
See if it got created there.
Delegate the permissions to computer account "test".
Logon to test as local admin.
Download and extract pstools (microsoft freeware) to c:\pstools
Open an elevated command prompt and enter: psexec -s -i cmd
-a new shell opens with system rights, you now act as the computer-
now launch: net user /add testuser testpw /domain
(Of course this will only work if you have set these permission on the container "computers" in AD which is the default container for new accounts)
See if it got created there.
ASKER
ok - thanks for this. will give it a test
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
ended up testing with the actual automation solution
Will.