[Samba] disable automatic creation of computer accounts

Rowland Penny rpenny at samba.org
Mon Oct 25 15:53:32 UTC 2021


On Mon, 2021-10-25 at 15:00 +0200, Angel Bosch Mora wrote:
> > Alter your script so that it does what it does now, plus joins the
> > machine and run it on the machine to be joined. Or you could script
> > around 'net ads join' and only attempt the join if the computer
> > already
> > exists in AD.
> > 
> 
> First part (new computer script) is already done and it runs
> supervised by some sysadmins.
> 
> Second part (join domain) is done by some low profile assistants, and
> for security reasons we need that no one adds a machine by mistake or
> intentionally.

Ah, you never said that.

> 
> In Samba 3 (NT4 PDC style) it was enough with modifying "add machine
> script" parameter, but I've been testing different settings without
> success.

AD is very different.

> 
> 
> And I know is a common policy in some environments:
> https://social.technet.microsoft.com/Forums/windowsserver/en-US/a2f3f357-0da5-4d41-a5cc-6ab710eb41bf/disable-automatic-computer-object-creation?forum=winserverDS
> 
> In that article they discuss about "Add workstations to domain"
> right.
> Can I enforce that via smb.conf or any other setting?

No, it is also not what you are asking, the computer would get added
without a computer object in AD.

You can 'delegate' join permissions, see here:
https://www.danielengberg.com/domain-join-permissions-delegate-active-directory/

However, that is probably still not what you are asking for. What does
your original script actually do ? Would it matter if the join created
the computer object in 'CN=Computers' again ? Do you know that 'net ads
join' has a parameter '--createcomputer=OU' ?

Rowland





More information about the samba mailing list