Announcement

Collapse
No announcement yet.

Create large amount of computer accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Create large amount of computer accounts

    I need to create a few thousand computer accounts, as new Win XP workstations are being rolled out. This is easily done with scripting. The problem is, how would I give another user account the right to join the computer into a domain?

    When a computer account is created in MMC, one can change the user or group that can join the computer on the domain. The dsa.msc GUI provides an option for changing the value. For an existing computer account, there doesn't seem to be an option to change the joining account in the GUI.

    As far as I know, there is no way for dsadd or dsmod to specify the domain joiner. I'd be happy to stand corrected.

    The reason for custom domain join account is that workstations are to be deployed from a custom image. The installer runs automagically as hard-coded account which has limited user rights. In addition, as per company policy, computer accounts are to be created before computer installations.

    Some creative Googling suggested to play with dsacls:

    dsacls cn=computer-1,ou=workstations,dc=example,dc=com /G mydomain\workstationInstaller:CALCGRSDDTRC;;
    (and six other changes to AD acl entries.)

    As I am not too familiar with dsacls, I am not too eager to run a Expert-Sexchange solution like voodoo scripting.

    I already tried getting a list of AD acls for ordinary computer account and for one that can be joined with another an account. The former was long, the latter returned no data whatsoever.

    Any ideas?

    -vP

  • #2
    Re: Create large amount of computer accounts

    This could probably be done with scripting using Dscacls but I would prefer the GUI method myself in this occasion.
    On the container where the object would be created Use the Delegation of control wizard. Alternativelly manually add the User Security principal on the ACL of the Container where the objects would be created and grant the user the appropriate permissons. You can be more granular about the permissions when you go to the advanced tab, such as Create and delete computer objects etc etc

    Please ignore if a scripting only solution is what you are after.
    Last edited by L4ndy; 9th December 2009, 11:20.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Create large amount of computer accounts

      Check out rlmuller's solution: http://www.rlmueller.net/JoinComputer.htm

      Comment


      • #4
        Re: Create large amount of computer accounts

        Originally posted by ekrengel View Post
        Check out rlmuller's solution: http://www.rlmueller.net/JoinComputer.htm
        Another sample of using AccessControlEntry in vbscript and,
        also more about the dsacls command line
        here: http://oreilly.com/catalog/activedck...apter/ch08.pdf


        \Rems

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Create large amount of computer accounts

          For the reference, unfortunately none of the proposed scripting solutions worked, as the specified account was unable to join any computer to domain with pre-existing scripted computer account.

          I managed to create the accounts anyway. Though not an optimal solution, I used AutoIt to mimic the keypresses one performs when creating a new computer account. It took about two seconds per account, and monopolized the workstation for a few hours. I used batches of 250 accounts a time and the automation solution worked well enough.

          -vP

          Comment

          Working...
          X