Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
| Task | Permissions Required to Perform Task | ||
|---|---|---|---|
Create a computer account |
CC on parent object (to create objects of class Computer) |
||
Delete a computer account |
SD on the computer object itself OR DC on parent object (to delete objects of class Computer) |
||
Rename a computer account |
WP on the computer object to modify all attributes
|
||
Move a computer account |
SD on the computer object itself OR DC on parent object (to delete objects of class Computer) CC on target parent (to create objects of class Computer) WP on the computer object to modify Common-Name attribute WP on the computer object to modify RDN attribute |
||
Disable a computer account |
WP on the computer object to modify User-Account-Control attribute |
||
Reset a computer account |
The Force-User-Change-Password extended right is required on the computer object Note In the UI, this extended right corresponds to Reset Password. |
||
Add a computer account to a group |
WP on the target group object to modify Member attribute |
||
Specify the Pre-Windows 2000 compatible name for a computer |
WP on the computer object to modify SAM-Account-Name attribute |
||
Set a computer’s DNS name |
Validated-DNS-Host-Name SW on the computer object |
||
Specify a computer’s role |
WP on the computer object to modify Machine-Role attribute |
||
Specify the computer’s description |
WP on the computer object to modify Description attribute |
||
Specify the computer’s location |
WP on the computer object to modify Location attribute |
||
Specify Managed-By information for a computer account |
WP on the computer object to modify Managed-By attribute |
||
Specify the Operating System running on a computer |
WP on the computer object to modify Operating-System attribute |
||
Specify the Operating System Service Pack for a computer |
WP on the computer object to modify Operating-System-Service-Pack attribute |
||
Specify the Operating System Version for the Computer |
WP on the computer object to modify Operating-System-Version attribute |
||
Specify a computer’s physical location |
WP on the computer object to modify Physical-Location-Object attribute |
||
Specify that a computer account be trusted for delegation |
WP on the computer object to modify User-Account-Control attribute The Enable computer and user accounts to be trusted for delegation user right is required — modified in Default Domain Controller Security Policy |
||
Specify whether a computer account can be trusted for delegation to any service (Kerberos only) |
User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy) |
||
Specify that a computer account be trusted for delegation to specific services only |
User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy) WP on the computer object to modify msDS-AllowedToDelegateTo attribute |
||
Specify “Use Kerberos Only” |
User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy) WP on the computer object to modify msDS-AllowedToDelegateTo attribute |
||
Specify “Use any authentication protocol” |
User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy) WP on the computer object to modify msDS-AllowedToDelegateTo attribute |
||
Add/Remove the services to which a computer account can be present delegated credentials |
WP on the computer object to modify msDS-AllowedToDelegateTo attribute |
.gif "note")
Note