samba - Oct 2021 - disable automatic creation of computer accounts

> Alter your script so that it does what it does now, plus joins the
> machine and run it on the machine to be joined. Or you could script
> around 'net ads join' and only attempt the join if the computer
> already
> exists in AD.
>
First part (new computer script) is already done and it runs supervised by some
sysadmins.

Second part (join domain) is done by some low profile assistants, and for
security reasons we need that no one adds a machine by mistake or intentionally.

In Samba 3 (NT4 PDC style) it was enough with modifying "add machine
script" parameter, but I've been testing different settings without
success.


And I know is a common policy in some environments:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/a2f3f357-0da5-4d41-a5cc-6ab710eb41bf/disable-automatic-computer-object-creation?forum=winserverDS

In that article they discuss about "Add workstations to domain" right.
Can I enforce that via smb.conf or any other setting?

abosch

-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau,
qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es
destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar
aquest missatge ni lliurar-lo a terceres persones sense permis expres de
l'IMAS. Si no sou la persona destinataria que s'hi indica (o la
responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a
l'adreca electronica de la persona remitent. Abans d'imprimir aquest
missatge, pensau si es realment necessari.

On Mon, 2021-10-25 at 15:00 +0200, Angel Bosch Mora
wrote:
> > Alter your script so that it does what it does now, plus joins the
> > machine and run it on the machine to be joined. Or you could script
> > around 'net ads join' and only attempt the join if the
computer
> > already
> > exists in AD.
> > 
> 
> First part (new computer script) is already done and it runs
> supervised by some sysadmins.
> 
> Second part (join domain) is done by some low profile assistants, and
> for security reasons we need that no one adds a machine by mistake or
> intentionally.
Ah, you never said that.
> 
> In Samba 3 (NT4 PDC style) it was enough with modifying "add machine
> script" parameter, but I've been testing different settings
without
> success.
AD is very different.
> 
> 
> And I know is a common policy in some environments:
>
https://social.technet.microsoft.com/Forums/windowsserver/en-US/a2f3f357-0da5-4d41-a5cc-6ab710eb41bf/disable-automatic-computer-object-creation?forum=winserverDS
> 
> In that article they discuss about "Add workstations to domain"
> right.
> Can I enforce that via smb.conf or any other setting?
No, it is also not what you are asking, the computer would get added
without a computer object in AD.

You can 'delegate' join permissions, see here:
https://www.danielengberg.com/domain-join-permissions-delegate-active-directory/

However, that is probably still not what you are asking for. What does
your original script actually do ? Would it matter if the join created
the computer object in 'CN=Computers' again ? Do you know that 'net
ads
join' has a parameter '--createcomputer=OU' ?

Rowland