RE: [ActiveDir] Joining Computers to a Domain

[Grillenmeier, Guido]

Hey Kevin - good to "read you" ;-)   just want to add, that you, Edwin, need to differentiate where you want your non-admin user to place the computer account.  The method given by Kevin is only applicable to add computers to the default computers container in the domain. Unless you're running 2003 and made some changes, this is not an OU, so you can't configure GPOs here...   Often you'll want to do the opposite: disallow non-admin users to add computers to the default computers container (e.g. by configuring the ms-DC-MachineAccountQuota to 0 or changing the permissions for the Add workstations to domain user right), then grant permissions to join clients to a specific OU - for the latter the non-admin user needs to have create computer object permissions on the OU (and since he's the owner after creating the account, he can also delete it...)   Realize though, that by default the System-Properties UI of the clients will only join the computer to the default computer container (which will fail if you've restricted this approach), unless the non-admin users either first creates the computer account in the appropriate OU, or you make him use NETDOM with the /OU option to join a client to the correct OU at the time of the domain-join.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sullivan Sent: Tuesday, August 24, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining Computers to a Domain Edwin,   You can do this a couple of different ways. First off, by default there is an attribute on the domain level called ms-DC-MachineAccountQuota and the value is 10. This allows users to join 10 computers to the domain without additional permissions. You can change this value if you need to.   If you want to give specific users the ability to create machine accounts you can use Group Policy and give the Add workstations to domain right to the users in question. (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Add workstations to domain…)   This should do it. Also remember if the systems are pre-created in AD you will not need to go through this.   Kevin       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, August 24, 2004 8:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Joining Computers to a Domain   I believe that I have read something like this before but now that I need it, I cant find the answer.   I would like to be able to have a non-admin user with permissions of nothing more than being able to add a computer to a domain.  Is this possible?   Thank you for your responses.   Edwin