How to restrict security level to linking of clients to domain only?

We are running a network with Windows 2000 Server. We need that one of our technicians has only enough security level to link clients to the domain, but nothing else. Is that possible to do and if yes, how?
Erwin KrischAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

So he needs to be able to create computer accounts then?  I take it one technitian will create the user account and settings, and then the restricted tech will go to the desktop and join it to the domain?

It can be done, he needs the "add workstation to domain" access right.  Create the tech as a normal user, then open Domain Security Policy. Go to Local Policies, User rights assignment.  Near the top is the Add workstation to domain right.  Enable the right and add the tech's username to the list.

Browse the other rights to see if he will need any other functions, but that should allow him to join a computer to the domain, and create the computer account using his logon details and not an admins.
Erwin KrischAuthor Commented:
“ I take it one technitian will create the user account and settings, and then the restricted tech will go to the desktop and join it to the domain?”

Yes, the above is correct. But will he still have the ability to make other changes on the network like: creating accounts, changing security levels and sharing rights or deleting computers from the network? I hope not. This is a very basic technician who does not know much about networking. All we do is that when we get new clients, we let him wander around and access the local administrator accounts and then link the computers to the domain. Any other rights he should not have other than using his account to do the linking business as aforementioned.
Erwin KrischAuthor Commented:
I tried the above. But it doesn't work. I created the user, loged on on the client as a local administrator trried to join the client to the domain as the new user, but it tells me acess denied.
You may also need to set the access under the Domain Controller Security policy.  On a DC there are 3 different areas to set various rights.

The local Group policy, the domain security policy and the domain controller policy.  Set this setting on each of these, and it should work.

There may be another right needed, but I'm pretty sure there is only the one, but it certainly is possible, and no he will not be able to do any other administrative things, other than those he has rights to.

Finally found the article I was thinking of.  There are other rights needed.  Method 2 on the below article I believe will sort it for you.;EN-US;251335

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.