depends on what you wish to achieve: 1. if you want to grant specific users the general rights to add computers to the default "Computers" container of the domain, then you'd do so by configuring the "Add workstations to Domain" user right in the Default Domain Controllers GPO. These users do not need any special rights on OUs, but depending on your OU structure and other rights you give them, they're also unable to move the computer objects to the OU they should be located in.
2. if you just want them to be able to add computers to a specific OU, then you'd delegate permissions as ACLs directly on the OU (not via GPO). At a minimum they'll need the rights to create computer accounts. Before being able to join clients to the domain via the UI, they'll now need to create the computer account in the target OU. You can also use the NETDOM reskit tool to join a computer to a domain directly into a given OU, in which case you don't need to pre-create the computer account in the OU. In general you should also remove the Userright "Add workstations to Domain" for Authenticated Users as otherwise every user will be able to join up to 10 clients to the AD domain (into the default Computer container). /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 09, 2005 7:15 PM To: [email protected] Subject: [ActiveDir] Add Computer to Domain If I wanted to grant a group the rights to join computers to the domain should I configure the User Assignment setting of a GPO to do that and if so should I create that GPO on the OU I want them to join computers to or do I have to do it at the domain level or within the Domain Controllers Policy? Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
