Resolution
How do I stop Assistant Admins from being able to create computer accounts that are BDC's?
fact
Directory and Resource Administrator 6.x
fact
Directory and Resource Administrator 7.x
fix
There are two methods that can be employed that will prevent AA?s from creating machine accounts that are Domain Controllers. Whether you want the AA?s to see the Domain Controllers or not, will determine which method you choose.
ActiveView method:
Create an ActiveView with the following rules:
- Include computers in domain X.
Result:
The Assistant Admins WILL NOT be able to see any Domain Controller in the MMC and will receive an error indicating that they do not have enough powers to create the computer account, if they check the BDC checkbox during the computer create operation.
----------------------------------------------------------------------------------------------------------------------------------------------
Policy method:
Create a custom policy using the method below:
- Copy the VB script text below and&nbs.
p;create the vbs script file (ie. C:\stop_bdc.vbs).!#vbscript
Function Main
iType = varset.get("In.Properties.$McsType")
If iType = 16 Then
varset.put "Out.ErrorMsg.Script", "You are not allowed to create BDC's"
Main = False
ElseIf iType = 8 Then
 .
; varset.put "Out.ErrorMsg.Script", "You are not allowed to create PDC's"Main = False
Else
Main = True
End If
End Function
- Launch the MMC logged in as a Built-in Admin and click the Policy and automation management node.
- Click Policy.
- Click New from the menu bar in the right pane.
N style="FONT-SIZE: 8pt; FONT-FAMILY: Tahoma">Select Create a custom policy and click Next. - Select Browse, in the "Apply when specified operations are executed" dialog box, and select ComputerCreate.
- Select Browse,in the "Apply actions on objects included in"box ,and choose the ActiveView pertaining to the 'ComputerCreate' operation.
- Click Next.
- Enter the file path to the vbs file (ie. c:\stop_bdc.vbs), in the Script section.
- Select Next on the Error screen.
- Enter a name for this Policy and click Next.
- Click Finish.
Result:
The Assistant Admins WILL be able to see Domain Controllers in the MMC, but will receive a custom error: 'You are not allowed to create BDC's ', if they check the BDC checkbox during the computer create operation.