RE: [ActiveDir] Add computers to domain

[Grillenmeier, Guido]

the OU permissions prevail over the "add workstations to domain" user right which is defined in the default DC policy. So you don't need to change anything for your NONDAs.

 

However, the mentioned policy grants auth. users the right to join machines to a domain (up to 10 by default) => I usually remove this right for auth users but you can also change the ms-DS-MachineAccountQuota property of your domain (e.g. via ADSIedit) and set it to 0. Or, set it to a higher value if you want normal users to add even more machines to your domain (which I don't recommend)

 

/Guido

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Donnerstag, 16. Juni 2005 09:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Add computers to domain

Hi all,

Single W2k3 domain

We have moved the default Computer Container to a newly created OU called "COMPUTERS".

On this OU, we have delegated Create Computer Objects and Delete Computer Objects to a group called "NONDOMAINADMINS"

This group is also a member of the local admins group on all member servers. Note that this group is not a member of the domain admins group.

I read somewhere that all authenticated users can add up to 10 workstations to the domain by default.

Would this group be restricted to the amount of computers it can add to the domain, as it is not a member of the domain admins group? If this group is restricted to 10 computers, how can I increase this?

Thanks

Frank

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com