I have seen a number of cases where unix/linux administrators do not
have access to Windows Administrator rights to execute "net ads join".
Here is the result of testing that I have done to determine what the
minimum set of user rights is.
Case 1: Adding the object to the domain and joining the domain with
"net ads join"
In this case, an ordinary user "member of Domain Users" can add and
join
by having an Administrator assign the user special rights to the
Computers container (or equivalent). This is done by:
1. Users and Computers MMC, Advanced Features View
2. Right click Computers container and select Properties
3. Choose Security tab, add a new user to the container
4. Click Advanced, select the new user, click Edit
5. Clear all rights, add back only "Create Computer Objects"
6. OK to exit out
The user can now add and join the computer object using "net ads join -U
username".
Case 2: Add object using "Users and Computers" MMC, join using
"net ads
join".
This method is required when a custom schema is used and "net ads
join"
cannot find the correct container to add the computer. Note that
sometimes the UseraccountControl attribute will populate with a value
that denies krb5 authentication, and the attribute must be populated
manually.
1. Users and Computers MMC, Advanced Features View
2. Add the computer object using the MMC. Do not select "Windows
2000 compatible".
3. Right click on the new computer object (note that this is
different from the container in Case 1)and select Properties.
4. Click Advanced, then Add, and add the user to Security Settings.
5. Highlight the username, then select Edit.
7. Select "Full Control" - this will autoselect all Permissions.
8. Unselect those that we do not need:
Full Control
Create All Child Objects
Delete All Child Objects
....(all items thru)
Delete All Shared Folder Ob
9. OK to exit out.
The user can now join and modify the existing computer object using "net
ads join -U username".
Caveats:
1. "net ads leave -U username" does not work, even with
Administrator.
2. Several other "net ads" commands do not work.
3. The ntSecurityDescriptor is not correctly processed (ldap.c accounts
for this and adds the object anyway, and issues a warning)
JT - I have written a user's guide for this process. Let me know if you
would like to use it however you see fit.
Eric Roseme
Hewlett-Packard