netadmins
asked on
Need a user to add computers to the domain without having domain admin rights
Greetings,
I have a user called wsadmin. This user is my workstation administrator and has local admin rights on all workstations. User can not log on locally to any server. I need this user to be able to add systems to the domain since he builds them. I tried Group Policy in the User Rights Assignment section and added him to Add workstations to domain. Didn't work. I also tried adding user to Account Operators group which didn't work. Anyone know a good way to allow user to add systems to the domain withought being a member of domain admins?
P.S. I thought of runas but you have to supply password. I do not want this user to have the password for a domain admin account.
I have a user called wsadmin. This user is my workstation administrator and has local admin rights on all workstations. User can not log on locally to any server. I need this user to be able to add systems to the domain since he builds them. I tried Group Policy in the User Rights Assignment section and added him to Add workstations to domain. Didn't work. I also tried adding user to Account Operators group which didn't work. Anyone know a good way to allow user to add systems to the domain withought being a member of domain admins?
P.S. I thought of runas but you have to supply password. I do not want this user to have the password for a domain admin account.
ASKER
Thanks trywaredk,
I'm not sure if this applies though. The user is logged on as local administrator at a workstation not yet joined to the domain. The user attempts to add the system to the domain. After typing in the domain the user is prompted with a logon. When they try to logon the get this error:
Logon Failure: the user has not been granted the requested logon type at this computer.
The only way I have been able to allow the user to do this is add them to domain admins. I only want the user to have local administor rights on the workstation and be able to add and remove computers to the domain. Have not been able to figure out how to pick and choos what the user can do within the domain.
I'm not sure if this applies though. The user is logged on as local administrator at a workstation not yet joined to the domain. The user attempts to add the system to the domain. After typing in the domain the user is prompted with a logon. When they try to logon the get this error:
Logon Failure: the user has not been granted the requested logon type at this computer.
The only way I have been able to allow the user to do this is add them to domain admins. I only want the user to have local administor rights on the workstation and be able to add and remove computers to the domain. Have not been able to figure out how to pick and choos what the user can do within the domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Been trying to figure out how to close questions so I can shut this one down. Thanks for the help.
The Experts Exchange Help Pages - About Closing Questions
https://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
https://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
The Experts Exchange Help Pages - About Closing Questions
https://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9
https://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9
http://support.microsoft.com/default.aspx?scid=kb;en-us;201341&Product=win2000
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open