Delegation of Authority for a User to Join Computers to a Certain OU

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Rohn Edwards Rohn Edwards 8 months, 1 week ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #34197
    Profile photo of Kreston Yates
    Kreston Yates
    Participant

    I'm wanting to perform the following via powershell, that allows a user to exceed the 10 join max limit...What's the best route, get-acl, dsacl, adsi? I've got a lot of bits and pieces from reading around and seeing a few similar examples, but I just cant seem to get lined out straight enough to get it working. I followed this guys example, changing his example from user DN to OU DN but when i compare the ACL of a user I perform the steps on through the GUI vs the script, they dont match... any input or direction would be appreciated.

    http://stackoverflow.com/questions/29037519/set-following-user-or-group-can-join-to-domain-permissions-on-computer-object

    Users cannot join a computer to a domain more than ten times; follow these steps:
    1.Locate and right-click the OU that you want to modify, and then click Delegate Control.
    2.In the Delegation of Control Wizard, click Next.
    3.Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
    4.In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
    5.Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
    6.Click Next.
    7.In the Permissions list, click to select the following check boxes: •Reset Password
    •Read and write Account Restrictions
    •Validated write to DNS host name
    •Validated write to service principal name
    8.Click Next, and then click Finish

    If I run a dsacls on the OU that I set the permissions on through the gui, I get the following:

    Allow domain\user SPECIAL ACCESS for Account restrictions – WRITE PROPERTY READ PROPERTY

    Allow domain\user SPECIAL ACCESS for Validated write to services principal name – WRITE SELF

    Allow domain\user SPECIAL ACCESS for Validated write to DNS host name – WRITE SELF

    Allow domain\user Reset Password

    I'm not sure how to duplicate these rights via dsacl or ps...

    #34207
    Profile photo of Rohn Edwards
    Rohn Edwards
    Participant

    Answered here

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.