TechQA.

Change who can join a created ComputerPrincipal account to the domain

1.7k views Asked by At

I am using C# to create new computer accounts. My goal is to allow IT helpdesk personnel to add computers to the domain safely in the right OU. The way I intended to do this was to have them use a tool that would take the relevant information and create the account in Active Directory. So far, this all works great. There is only one snag - I can't figure out how to grant my workers the rights to join the computer to the domain. Normally in Active Directory you could change the group that is allowed to join the new computer to the domain. I am using DirectoryServices.AccountManagement and I cannot figure out how to do the same in code.

Here is my code:

PrincipalContext oPrincipalContext = GetPrincipalContext(sOU);

//The password is just a random construction.
//The computer SAM Account Name must end with a dollar sign in order for it
//to be usable.
ComputerPrincipal oComputerPrincipal = new ComputerPrincipal(oPrincipalContext, 
                                                             sComputerName + "$", 
                                                             RandomPassword(), 
                                                             true);

//You actually need to save the record before it is actually created
oComputerPrincipal.Save();

This creates the computer accounts and puts them in the correct OU. However, you still need to be granted the rights to add a computer to the domain in order to hook a computer up to this account. I can't find the code to do so.

As a side note, I understand that I could grant my helpdesk personnel the permission to join computers to the domain. The problem, though, is that they would be able to do so without using this tool. They wouldn't realize that when they do that, they are sending the computers to the wrong OUs.

Update

Here is an updated picture to show you what I am trying to accomplish in code. As you can see in the image below, I am attempting to change the bottom box (via code) when I create a new computer account in code. See how it allows you to specify who can add this specific computer to the domain?

New Computer dialog

c# active-directory dns account-management
Original Q&A
2

There are 2 answers

6
JPBlanc On

Here is a place to find ExtendedRightAccessRule.

And here is a simple example that allow the domain user 'user1' to reset password for users presents in OU 'ForUser1'. You just have to allow your user to add a computer to an OU. @Brian Desmon give you the GUID.

/* Connection to Active Directory 
 */ 
DirectoryEntry workingOU = new DirectoryEntry(); 
workingOU.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Sacl; 
workingOU.Path = "LDAP://WM2008R2ENT:389/ou=ForUser1,dc=dom,dc=fr"; 

/* Retreive Obect security 
 */ 
ActiveDirectorySecurity adsOUSec = workingOU.ObjectSecurity; 

/* Ellaborate the user to delegate 
 */ 
NTAccount ntaToDelegate = new NTAccount("dom", "user1"); 
SecurityIdentifier sidToDelegate = (SecurityIdentifier)ntaToDelegate.Translate (typeof(SecurityIdentifier)); 

/* Specils Guids 
 */ 
Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529"); 
Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2"); 
Guid pwdLastSetSchemaGuid = new Guid("bf967a0a-0de6-11d0-a285-00aa003049e2"); 

/* Ellaborate ACEs 
 */ 
ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(ntaToDelegate, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid); 
PropertyAccessRule parPwdLastSetW = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Write, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid); 
PropertyAccessRule parPwdLastSetR = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Read, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid); 
adsOUSec.AddAccessRule(erarResetPwd); 
adsOUSec.AddAccessRule(parPwdLastSetW); 
adsOUSec.AddAccessRule(parPwdLastSetR); 

workingOU.CommitChanges();

Edited (2011-11-04)

In my understanding the thing you want to do is a kind of delegation; Inside Active-Directory delegation becomes reality with rights on objects. In your case you you want to allow a user to create a computer account. Most of the time administrators do that for the whole domain :

enter image description hereenter image description here

If you try it you'll see a new ACE (Access Control Entry) in the domain nod ACL (Access Control List). In the example I just delegate the right in one OU.

Second Edition (2011-11-04)

He re is the proof of what I'am writting :

enter image description here

If you look at security tab

enter image description here

1
Brian Desmond On

In order to do this, you need to grant the Reset Password right at a minimum on the computer account. I don't think you need anything else but I don't recall offhand.

You can use the ActiveDirectoryAccessRule class to build the ACE and add it to the ACL. You'll want to do something like this:

var rule = new ActiveDirectoryAccessRule(<user to delegate to>, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, new Guid("00299570-246d-11d0-a768-00aa006e0529")

Related Questions in C#

Related Questions in ACTIVE-DIRECTORY

Related Questions in DNS

Related Questions in ACCOUNT-MANAGEMENT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions