So I would have to use the delegation wizard at the OU level to add workstations to the domain and ignore the user rights assignments at the DC Level?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, February 10, 2005 3:53 AM To: [email protected] Subject: RE: [ActiveDir] Add Computer to Domain Justin, The "Add workstations to domain" user right (configured at DC level) by default assigns each authenticated user the right to add 10 computers (default configured quota for this) to the domain. Those computers will be placed in the COMPUTERS CONTAINER and the default owner is "Domain Admins". However users can be granted an unlimited number of computers they can add to the domain if the permission has been granted to those users on a certain OU, independently of the user right "add workststations to domain" has been granted or not. The owner of the latter objects will be the accounts that created them. Most of the time it is not acceptable that users add computers to the domain just like that. In the environment I created the design for, I removed authenticated users from the user right, created a global group and granted that global group permissions over a certain OU to created computer accounts. If I'm correct the computer accounts need to be created first and then you can join the computer to the domain (as with the join dialog box there is no possibility to specify an OU) and with tools (e.g. NETDOM) where you have the possibility to directly add a computer I presume it is possible to do this without first creating the computeraccount Cheers, Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 09, 2005 19:15 To: [email protected] Subject: [ActiveDir] Add Computer to Domain If I wanted to grant a group the rights to join computers to the domain should I configure the User Assignment setting of a GPO to do that and if so should I create that GPO on the OU I want them to join computers to or do I have to do it at the domain level or within the Domain Controllers Policy? Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
