4

When you create a new computer object, you will define the CN, sAMAccountName and a user or group that can add the computer to a domain(can access) to that Computer Object using GUI Interface, this step called Prestaging.

What is the name of the Attribute that defines the default user or group that can add the computer to a domain? I have right clicked and chosen the computer object's properties (Advanced Featured view enabled), but I can't find the content I want.

See the picture

enter image description here

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
George Luong
  • 117
  • 3

1 Answers1

2

This isn't an attribute on the object, but just an ACL entry against it defined at the time of creation.

My first thought was that the default value is probably picked up from the Default Domain Controllers Policy, under Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to domain, but upon further investigation this isn't the case.

I would guess that the Domain Admins group is hard coded into the computer account creation process.

Chris McKeown
  • 7,128
  • 1
  • 17
  • 25
  • A number of permissions is set on the new computer object ACL for the User or Group chosen, including Allow to Authenticate, Write SPNs, All Extended Rights etc. – Mathias R. Jessen Sep 02 '13 at 14:37
  • What happen if I want to change the group belongs to that Computer Object? This is a limitation... – George Luong Sep 03 '13 at 01:56
  • I don't understand your question - do you mean the group membership of the computer object? That's independent of the ACLs against it. – Chris McKeown Sep 03 '13 at 07:40
  • It's been a long time, but at that time I mean how can I reconfigure the user or group belongs to that computer. – George Luong Sep 12 '13 at 15:20
  • 1
    If you mean you want to change the group membership of the computer object, you'd need to do that after the account has been created. If you need to do this with a large number of accounts that you want to create, you'd be better off scripting it. – Chris McKeown Sep 12 '13 at 19:48