How do I stop Assistant Admins from being able to create computer accounts that are BDC's? (NETIQKB10623)

  • 7710623
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

goal
How do I stop Assistant Admins from being able to create computer accounts that are BDC's?

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

fix

There are two methods that can be employed that will prevent AA?s from creating machine accounts that are Domain Controllers.  Whether you want the AA?s to see the Domain Controllers or not, will determine which method you choose.

 

 

ActiveView method:

Create an ActiveView with the following rules:

 

  • Include computers in domain X.

  • Include Target domain for create operations and specify domain X.

  • Exclude computers that are domain controllers with name matching * in domain X. (This excludes all Domain Controllers from the ActiveView).

  • Delegate the power All Properties - Create a Computer Account.

 

Result: 

The Assistant Admins WILL NOT be able to see any Domain Controller in the MMC and will receive an error indicating that they do not have enough powers to create the computer account, if they check the BDC checkbox during the computer create operation.

 

----------------------------------------------------------------------------------------------------------------------------------------------

 

Policy method:


Create a custom policy using the method below:

 

  1. Copy the VB script text below and&nbs.
    p;create the vbs script file (ie.  C:\stop_bdc.vbs).

    !#vbscript

     

    Function Main

                    iType = varset.get("In.Properties.$McsType")

                   

                    If iType = 16 Then

                                    varset.put "Out.ErrorMsg.Script", "You are not allowed to create BDC's"

                                    Main = False

                    ElseIf iType = 8 Then

           .
    ;        
                    varset.put "Out.ErrorMsg.Script", "You are not allowed to create PDC's"

                                    Main = False

                    Else

                                    Main = True

                    End If

     

    End Function


  2. Launch the MMC logged in as a Built-in Admin and click the  Policy and automation management node.
  3. Click Policy.
  4. Click New from the menu bar in the right pane.
  5. N style="FONT-SIZE: 8pt; FONT-FAMILY: Tahoma">Select Create a custom policy and click Next.
  6. Select Browse, in the "Apply when specified operations are executed" dialog box, and select ComputerCreate.
  7. Select Browse,in the "Apply actions on objects included in"box ,and choose the ActiveView pertaining to the 'ComputerCreate' operation.
  8. Click Next.
  9. Enter the file path to the vbs file (ie.  c:\stop_bdc.vbs), in the Script section.

  10. Select Next on the Error screen.

  11. Enter a name for this Policy and click Next.
  12. Click Finish.

Result: 

The Assistant Admins WILL be able to see Domain Controllers in the MMC, but will receive a custom error: '
You are not allowed to create BDC's ', if they check the BDC checkbox during the computer create operation.

 

.


Additional Information

Formerly known as NETIQKB10623