Directory Services/Active Directory

Ulf B. Simon-Weidner's Blog
Errorhandling in DSACLS and wrong ACEs in ADUC

I spent some time recently to look at a issue I found in DSACLS and in Active Directory-Users and -Computers. If you create a computer object and assing some user or group account permissions to join that computer to the domain there are ACEs which cause issues. Since it's quite long I posted some infos here: http://www.windowsserverfaq.de/faq/CompACLs.asp

Published Thu, Sep 23 2004 6:41 by Ulf B. Simon-Weidner

Comments

# re: Errorhandling in DSACLS and wrong ACEs in ADUC@ Monday, April 25, 2005 3:38 PM

Thank you so much for this post. This was driving me crazy. Makes perfect sense now. I hope anyone who uses DSACLS to set or read permissions and receives no results reads the above linked post.

Ulf B. Simon-Weidner

# re: Errorhandling in DSACLS and wrong ACEs in ADUC@ Wednesday, May 04, 2005 9:53 PM

Hello,

Just wondering what the minimum permissions needed to join computers to a domain are? I am scripting the creation of the computer objects with "dsadd computer" and plan to use "dsacls" to apply the necessary permissions. I really would like to limit these to the minimum possible. Any suggestions?

Thanks,
Ed.

Ulf B. Simon-Weidner