RE: [ActiveDir] Add computers to domain permissions

[Dennis Schut]

I have experienced the same problem, if local site admin are joining computer objects to the domain, I will not join it in the OU were the admin has delegated rights.   A work around (did not find another solution yet) to this problem is to let the local admin create the computer objects in advanced in the respective OU, and then the local admin can join the computer accounts to the domain with no problems.   Another issue arises with this is, when the admin has done this without creating the computer object in advance is the 10x joining rule.   This article was previously published under Q251335   Windows 2000 grants the "Add workstations to domain" privilege to the Authenticated Users group by default. When this privilege is enabled, authenticated users can bypass the access control list (ACL) check for up to a predefined maximum value. To prevent misuse, the maximum number of machine accounts any authenticated user can join is 10 by default.   Because the admin only has rights on the OU were he or she has delegated rights on, he or she can create as much computer objects as necessary within that OU. But if the object is joined to the domain and is placed in the built-in computers container the above mentioned rule will be executed.     Regards,   Dennis Schut - MCP - MCSA 2K & 2K3 - MCSAS - MCSE - MCSES Technical Consultant     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, September 19, 2003 22:16 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Add computers to domain permissions     We have many remote sites and an OU for each remote site.  We're delegating our site admins permissions to their site Ous, and creating security group restriction policies to grant them local admin permissions on their user's desktops.   The problem we're having is the site admins can't join new PCs to the domain.  A Microsoft TS told us that AD will automatically add a PC to an OU that you have rights to, but this doesn't seem to be the case.  It appears it's trying to add it to the builtin computers container instead, and the site admins don't have rights to that.   How do we solve this?  Is there some type of a script that we need to be using to do this?  We don't want to use RIS.  We want all our remote sites to be able to join computers to their OU at will.   Thanks   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged.   This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/