RE: [ActiveDir] Joining Computers to a Domain

[Edwin]

Rich Milburn: Thank you very much.  That seems to have done it. I thought I have read that article before but obviously not.  I followed the instructions and now the machine is a part of the domain.  You were right.  Once the NIC was recognized, everything else fell into place.   Guido: What I did was added was add a regular user to the domain.  I then created an OU named “Standby Workstations OU”  Within the advanced properties of the Remote Installation Server, I specified where it is that I want the new machines to be added (Standby Workstations OU). Then the user that I added was given only “Create Computer Objects” to the OU and nothing more.   The users login information was then put in the *.sif file.  This in combination with Rich’s last response did what I wanted which was added the machine to the specific OU with a user that did not have administrative privileges.   The Remote Install folder share contained “Authenticated Users” with Read access.  I removed that user group and left only Administrators and SYSTEM with full access.  The reason why I did that is because one, the share is not hidden from users on the network so anyone can browse to the share and open and read the *.sif file that could contain information that I may not want them to see.  For example, above mentioned user information.  But if they did for some reason get access to read the file, they wouldn’t be able to do much with it since it has minimal permissions.   If I can, I have one more question that I think would make my wish list complete.   In the *.sif file, under the [Identification] group, I can specify MachineObjectOU and give it an LDAP value of where I want the new installed machine to be.  I am already doing this via the advance properties of the Remote Install Server.   Is there a way that I can add the machine automatically to a specific group within the answer file?  Is there another method.   Thank you all for your replies.  This list rocks!   Edwin   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, August 24, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining Computers to a Domain   Hey Kevin - good to "read you" ;-)   just want to add, that you, Edwin, need to differentiate where you want your non-admin user to place the computer account.  The method given by Kevin is only applicable to add computers to the default computers container in the domain. Unless you're running 2003 and made some changes, this is not an OU, so you can't configure GPOs here...   Often you'll want to do the opposite: disallow non-admin users to add computers to the default computers container (e.g. by configuring the ms-DC-MachineAccountQuota to 0 or changing the permissions for the Add workstations to domain user right), then grant permissions to join clients to a specific OU - for the latter the non-admin user needs to have create computer object permissions on the OU (and since he's the owner after creating the account, he can also delete it...)   Realize though, that by default the System-Properties UI of the clients will only join the computer to the default computer container (which will fail if you've restricted this approach), unless the non-admin users either first creates the computer account in the appropriate OU, or you make him use NETDOM with the /OU option to join a client to the correct OU at the time of the domain-join.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sullivan Sent: Tuesday, August 24, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining Computers to a Domain Edwin,   You can do this a couple of different ways. First off, by default there is an attribute on the domain level called ms-DC-MachineAccountQuota and the value is 10. This allows users to join 10 computers to the domain without additional permissions. You can change this value if you need to.   If you want to give specific users the ability to create machine accounts you can use Group Policy and give the Add workstations to domain right to the users in question. (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Add workstations to domain…)   This should do it. Also remember if the systems are pre-created in AD you will not need to go through this.   Kevin       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, August 24, 2004 8:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Joining Computers to a Domain   I believe that I have read something like this before but now that I need it, I cant find the answer.   I would like to be able to have a non-admin user with permissions of nothing more than being able to add a computer to a domain.  Is this possible?   Thank you for your responses.   Edwin