Active Directory. Add group to Computer
-
Server
- FOG Version: 1.4.4
- OS: Centos 7
- LDAP: openldap
Description
Hi. I´m trying to use “join domain to active directory” and work ok, but I need to assign one group to new computers added to my ldap.
Is this posible through active directory settings??? -
@joseska said in Active Directory. Add group to Computer:
but I need to assign one group to new computers added to my ldap
Sorry, but I don’t get what you mean by this. Please explain in more detail. What kind of LDAP? What do you want to assign/add where?
-
Hi. I´m use “add to active directory” and work great. But in my ldap (openldap on my ReHat enterprise) the computers added to my ldap from FOG not assing the correct primary group (maquinas).
I´m use this Fog settings: “ou=maquinas,dc=smb38,dc=samba” and work ok. I´m asking if is possible to change or make the primary group through this setting.
Sorry. I´m spanish and my english is not very good
Thanks…
-
@joseska This is getting closer but I am still not exactly sure what you mean.
I´m asking if is possible to change or make the primary group through this setting.
Do you mean primary group for user accounts? I am not aware of something called primary group that has something to do with domain join…
-
Joseska,
I suggest a snapin would be a better place to add the computer to a group in LDAP. Assuming the computer is a Windows computer and you want to add that computer to the Samba emulation of Active Directory and assuming Samba emulates AD such that Windows PCs can find the Samba system(s) like they would a real Microsoft Domain Controller, a CMD command would do the trick. I’ve used commands like this below to put domain groups into local computer groups. This command, run as a snapin on a PC in a domain, will add a domain group to a local computer group - giving users in the domain group rights on the PC:
net localgroup administrators DomainName\DomainGroupName
I also believe you can add an AD computer object to a domain group with the same command. It’s abnormal to place a computer object in a domain, but I’ve used this approach to allow services on a specific PC to access network resources without having to place an AD account on a service. The down side of doing this is that all services on that computer have the same access rights, not just the service you intend to have those rights.
I believe this command will add a computer to an AD group:
net group DomainGroupName computername$ /add /domain
I don’t know if your LDAP/SAMBA/AD supports Group Policy Objects, but actions that need to be taken on machines just after they join a domain (so they work correctly for future users) are typically done in Startup Scripts inside a GPO applied to the OU to which the Machines are joined.
Hope this helps.
Jim