Hey Kevin - good to "read you" ;-)
just want to add, that you, Edwin, need to differentiate
where you want your non-admin user to place the computer account. The
method given by Kevin is only applicable to add computers to the default
computers container in the domain. Unless you're running 2003 and made some
changes, this is not an OU, so you can't configure GPOs
here...
Often you'll want to do the opposite: disallow non-admin
users to add computers to the default computers container (e.g. by configuring
the ms-DC-MachineAccountQuota to 0 or changing the permissions for the Add
workstations to domain user right), then grant permissions to join clients to a
specific OU - for the latter the non-admin user needs to have create
computer object permissions on the OU (and since he's the owner after creating
the account, he can also delete it...)
Realize though, that by default the System-Properties UI of
the clients will only join the computer to the default computer container (which
will fail if you've restricted this approach), unless the non-admin users either
first creates the computer account in the appropriate OU, or you make him use
NETDOM with the /OU option to join a client to the correct OU at the time of the
domain-join.
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sullivan Sent: Tuesday, August 24, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining Computers to a Domain Edwin, You can do this a
couple of different ways. First off, by default there is an attribute on the
domain level called ms-DC-MachineAccountQuota and the value is 10. This allows
users to join 10 computers to the domain without additional permissions. You can
change this value if you need to. If you want to give
specific users the ability to create machine accounts you can use Group Policy
and give the Add workstations to domain right to the users in question.
(Computer Configuration\Windows Settings\Security Settings\Local Policies\User
Rights Assignment\Add workstations to domain…) This should do it. Also
remember if the systems are pre-created in AD you will not need to go through
this. Kevin From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Edwin I believe that I have read something
like this before but now that I need it, I cant find the
answer. I would like to be able to have a
non-admin user with permissions of nothing more than being able to add a
computer to a domain. Is this possible? Thank you for your
responses. Edwin |
- [ActiveDir] Joining Computers to a Domain Edwin
- RE: [ActiveDir] Joining Computers to a Domai... Adams, Kenneth W \(Ken\)
- RE: [ActiveDir] Joining Computers to a Domai... Marcus.Oh
- RE: [ActiveDir] Joining Computers to a Domai... Grillenmeier, Guido