Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need a user to add computers to the domain without having domain admin rights

Posted on 2004-03-25
8
Medium Priority
?
181 Views
Last Modified: 2013-12-04
Greetings,

I have a user called wsadmin.  This user is my workstation administrator and has local admin rights on all workstations.  User can not log on locally to any server.  I need this user to be able to add systems to the domain since he builds them.  I tried Group Policy in the User Rights Assignment section and added him to Add workstations to domain.  Didn't work.  I also tried adding user to Account Operators group which didn't work.  Anyone know a good way to allow user to add systems to the domain withought being a member of domain admins?

P.S. I thought of runas but you have to supply password.  I do not want this user to have the password for a domain admin account.
0
Comment
Question by:netadmins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10680881
Delegation of Administration Using Microsoft Management Console
http://support.microsoft.com/default.aspx?scid=kb;en-us;201341&Product=win2000

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Author Comment

by:netadmins
ID: 10681517
Thanks trywaredk,

I'm not sure if this applies though.  The user is logged on as local administrator at a workstation not yet joined to the domain.  The user attempts to add the system to the domain.  After typing in the domain the user is prompted with a logon.  When they try to logon the get this error:

Logon Failure: the user has not been granted the requested logon type at this computer.

The only way I have been able to allow the user to do this is add them to domain admins.  I only want the user to have local administor rights on the workstation and be able to add and remove computers to the domain.  Have not been able to figure out how to pick and choos what the user can do within the domain.
0
 
LVL 6

Accepted Solution

by:
DanniF earned 200 total points
ID: 10686382
This is actually taken from a document concerning joining an NT4 machine but this is what you do on the 2000 controller to solve your problem:

NOTE, I have edited this procedure to fit your environment, for the original document, see:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;251335

Method 2: Grant the "Create Computer Objects" and "Delete Computer Objects" Access Control Entries (ACEs) to the User
From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties.
Right-click the Computers container, and then click Properties.
On the Security tab, click Advanced.
On the Permissions tab, click The user name

Make sure the This object and all child objects option is displayed in the Apply onto box.
From the Permissions box, click to select the Allow check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK.

Hope this helps,

Daniel F.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:netadmins
ID: 10930172
Been trying to figure out how to close questions so I can shut this one down.  Thanks for the help.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967214
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967226
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question