Recipe 8.2 Creating a Computer for a Specific User or Group

8.2.1 Problem

You want to create a computer account for a specific user or group to join to the domain. This requires setting permissions on the computer account so the user or group can modify certain attributes.

8.2.2 Solution

8.2.2.1 Using a graphical user interface

8.2.2.2 Using a command-line interface

In the following solution, replace <ComputerDN> with the distinguished name of the computer object and <UserOrGroup> with the user principal name or NT-style name of a user or group you want to manage the computer:

> dsadd computer <ComputerDN> > dsacls <ComputerDN> /G <UserOrGroup>:CALCGRSDDTRC;; > dsacls <ComputerDN> /G <UserOrGroup>:WP;description; > dsacls <ComputerDN> /G <UserOrGroup>:WP;sAMAccountName; > dsacls <ComputerDN> /G <UserOrGroup>:WP;displayName; > dsacls <ComputerDN> /G <UserOrGroup>:WP;"Logon Information"; > dsacls <ComputerDN> /G <UserOrGroup>:WP;"Account Restrictions"; > dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to service principal[RETURN] name"; > dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to DNS host name";

8.2.2.3 Using VBScript

' This code creates a computer object and grants a user/group rights over it ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ComputerName>"   ' e.g. joe-xp strUser     = "<UserOrGroup>"    ' e.g. joe@rallencorp.com or RALLENCORP\joe strDescr    = "<ComputerDescr>"  ' e.g. Joe's workstation strDomain   = "<ComputerDomain>" ' e.g. rallencorp.com ' ------ END CONFIGURATION --------- '############################ ' Constants '############################ ' ADS_USER_FLAG_ENUM Const ADS_UF_PASSWD_NOTREQD            = &h0020 Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000 ' ADS_ACETYPE_ENUM Const ADS_ACETYPE_ACCESS_ALLOWED        = &h0 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5 ' ADS_FLAGTYPE_ENUM Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1 ' ADS_RIGHTS_ENUM Const ADS_RIGHT_DS_SELF           = &h8 Const ADS_RIGHT_DS_WRITE_PROP     = &h20 Const ADS_RIGHT_DS_CONTROL_ACCESS = &h100 Const ADS_RIGHT_ACTRL_DS_LIST     = &h4 Const ADS_RIGHT_GENERIC_READ      = &h80000000 Const ADS_RIGHT_DELETE            = &h10000 Const ADS_RIGHT_DS_DELETE_TREE    = &h40 Const ADS_RIGHT_READ_CONTROL      = &h20000 ' schemaIDGUID values Const DISPLAY_NAME     = "{bf967953-0de6-11d0-a285-00aa003049e2}" Const SAM_ACCOUNT_NAME = "{3e0abfd0-126a-11d0-a060-00aa006c33ed}" Const DESCRIPTION      = "{bf967950-0de6-11d0-a285-00aa003049e2}" ' controlAccessRight rightsGUID values Const USER_LOGON_INFORMATION     = "{5f202010-79a5-11d0-9020-00c04fc2d4cf}" Const USER_ACCOUNT_RESTRICTIONS  = "{4C164200-20C0-11D0-A768-00AA006E0529}" Const VALIDATED_DNS_HOST_NAME    = "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}" Const VALIDATED_SPN              = "{F3A64788-5306-11D1-A9C5-0000F80367C1}" '############################ ' Create Computer '############################ set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objContainer = GetObject("LDAP://cn=Computers," & _                              objRootDSE.Get("defaultNamingContext")) set objComputer = objContainer.Create("Computer", "cn=" & strComputer) objComputer.Put "sAMAccountName", strComputer & "$" objComputer.Put "userAccountControl", _                  ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT objComputer.Put "description", strDescr objComputer.SetInfo '############################ ' Create ACL '############################ set objSD = objComputer.Get("ntSecurityDescriptor") set objDACL = objSD.DiscretionaryAcl ' Special: Control Rights, List Children '          Generic Read, Delete,  '          Delete Subtree, Read Permission  set objACE1 = CreateObject("AccessControlEntry") objACE1.Trustee    = strUser objACE1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS Or _                      ADS_RIGHT_ACTRL_DS_LIST Or _                      ADS_RIGHT_GENERIC_READ Or _                      ADS_RIGHT_DELETE Or _                      ADS_RIGHT_DS_DELETE_TREE Or ADS_RIGHT_READ_CONTROL objACE1.AceFlags   = 0 objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED ' Write Property: description set objACE2 = CreateObject("AccessControlEntry") objACE2.Trustee    = strUser objACE2.AccessMask = ADS_RIGHT_DS_WRITE_PROP objACE2.AceFlags   = 0 objACE2.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT objACE2.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE2.ObjectType = DESCRIPTION ' Write Property: sAMAccountName set objACE3 = CreateObject("AccessControlEntry") objACE3.Trustee    = strUser objACE3.AccessMask = ADS_RIGHT_DS_WRITE_PROP objACE3.AceFlags   = 0 objACE3.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT objACE3.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE3.ObjectType = SAM_ACCOUNT_NAME ' Write Property: displayName set objACE4 = CreateObject("AccessControlEntry") objACE4.Trustee    = strUser objACE4.AccessMask = ADS_RIGHT_DS_WRITE_PROP objACE4.AceFlags   = 0 objACE4.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT objACE4.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE4.ObjectType = DISPLAY_NAME ' Write Property: Logon Information set objACE5 = CreateObject("AccessControlEntry") objACE5.Trustee    = strUser objACE5.AccessMask = ADS_RIGHT_DS_WRITE_PROP objACE5.AceFlags   = 0 objACE5.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE5.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT objACE5.ObjectType = USER_LOGON_INFORMATION ' Write Property: Account Restrictions set objACE6 = CreateObject("AccessControlEntry") objACE6.Trustee    = strUser objACE6.AccessMask = ADS_RIGHT_DS_WRITE_PROP objACE6.AceFlags   = 0 objACE6.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE6.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT objACE6.ObjectType = USER_ACCOUNT_RESTRICTIONS ' Write Self: Validated SPN set objACE7 = CreateObject("AccessControlEntry") objACE7.Trustee    = strUser objACE7.AccessMask = ADS_RIGHT_DS_SELF objACE7.AceFlags   = 0 objACE7.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE7.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT objACE7.ObjectType = VALIDATED_SPN ' Write Self: Validated DNS Host Name set objACE8 = CreateObject("AccessControlEntry") objACE8.Trustee    = strUser objACE8.AccessMask = ADS_RIGHT_DS_SELF objACE8.AceFlags   = 0 objACE8.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE8.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT objACE8.ObjectType = VALIDATED_DNS_HOST_NAME objDACL.AddAce objACE1 objDACL.AddAce objACE2 objDACL.AddAce objACE3 objDACL.AddAce objACE4 objDACL.AddAce objACE5 objDACL.AddAce objACE6 objDACL.AddAce objACE7 objDACL.AddAce objACE8 '############################ ' Set ACL '############################ objSD.DiscretionaryAcl = objDACL objComputer.Put "ntSecurityDescriptor", objSD objComputer.SetInfo WScript.Echo "Successfully created " & strComputer & _              " and gave rights to " & strUser

8.2.3 Discussion

Simply creating a computer object in Active Directory does not permit a user to join a computer to the domain. Certain permissions have to be granted so that the user has rights to modify the computer object. When you create a computer via the Active Directory Users and Computers snap-in you have the option to select a user or group to manage the computer object and join a computer to the domain using that object. When you use that method, eight access control entries (ACEs) are added to the access control list (ACL) of the computer object. They are:

• List Contents, Read All Properties, Delete, Delete Subtree, Read Permissions, All Extended Rights (i.e., Allowed to Authenticate, Change Password, Send As, Receive As, Reset Password

• Write Property for description

• Write Property for sAMAccountName

• Write Property for displayName

• Write Property for Logon Information

• Write Property for Account Restrictions

• Validate write to DNS host name

• Validated write for service principal name

8.2.3.1 Using a graphical user interface

If you want to modify the default permissions that are applied when you select a user or group through the GUI, double-click on the computer object after you created it and go to the Security tab. For the Security tab to be visible, you have to select View Advanced Features.

8.2.3.2 Using a command-line interface

With the dsacls utility, you can specify either a UPN (user@domain) or down-level style (DOMAIN\user) account name when applying permissions. Also, dsacls requires that the displayName of the attribute, property set, or extended right you are setting the permission on be used instead of the lDAPDisplayName, as one might expect. That is why I had to use "Validated write to service principal name," which is the displayName for the Validated-SPN controlAccessRight object with the ACE for the SPN-validated write. dsacls is also case sensitive, so be sure to specify the correct case for the words in the displayName.

8.2.3.3 Using VBScript

After creating the computer object, similar to Recipe 8.1, I create an ACE object for each of the eight ACEs I previously listed using the IADsAccessControlEntry interface. To apply the ACEs, I retrieved the current security descriptor for the computer object, which is stored in the nTSecurityDescriptor attribute, and then add the eight ACEs. Finally, I called SetInfo to commit the change to Active Directory. For more information on setting ACEs and ACLs programmatically, see the IADsAccessControlEntry documentation in MSDN.

8.2.4 See Also

Recipe 8.1 for creating a computer account, MS KB 238793 (Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain), MS KB 283771 (HOW TO: Prestage Windows 2000 Computers in Active Directory), MS KB 320187 (HOW TO: Manage Computer Accounts in Active Directory in Windows 2000), MSDN: IADsAccessControlEntry, MSDN: ADS_ACETYPE_ENUM, and MSDN: ADS_RIGHTS_ENUM, MSDN: ADS_FLAGTYPE_ENUM