(1) each authenticated user may add/join 10 workstatiobs to the domain and the objects are owned by the administrators (2) yes (3) no! it is better to set the quota to zero or remove the authenticated users from that user right or do both. The best way is to delegate the right to create computers account and/or join workstations to some authorized group. (4) both This was also discussed a few days ago. Search the archives for template6 and you'll find how to delegate the permissions Cheers, #JORGE#
________________________________ From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Fri 7/8/2005 10:47 PM To: ActiveDir (E-mail) Subject: [ActiveDir] joining to a domain i have a couple of questions about the attribute ms-DS-MachineAccountQuota that allows auth users to join 10 workstations to a domain 1. Do these computer accounts have to already be precreated in AD or can any user do a create/join? 2. I assume the user still has to be a local admin to change the domain in the system applet on the workstation? 3. Is this a valid way to allow certain users to join workstations or should you use a gpo or delegation wizard? which is the preferred method? I read somewhere that you shoudn't use the gpo method but i forget why. 4. does this right apply to memeber servers too or just worstations? thanks. sorry for all the questions List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
