How to restrict security level to linking of clients to domain only?
We are running a network with Windows 2000 Server. We need that one of our technicians has only enough security level to link clients to the domain, but nothing else. Is that possible to do and if yes, how?
ASKER
“ I take it one technitian will create the user account and settings, and then the restricted tech will go to the desktop and join it to the domain?”
Yes, the above is correct. But will he still have the ability to make other changes on the network like: creating accounts, changing security levels and sharing rights or deleting computers from the network? I hope not. This is a very basic technician who does not know much about networking. All we do is that when we get new clients, we let him wander around and access the local administrator accounts and then link the computers to the domain. Any other rights he should not have other than using his account to do the linking business as aforementioned.
Yes, the above is correct. But will he still have the ability to make other changes on the network like: creating accounts, changing security levels and sharing rights or deleting computers from the network? I hope not. This is a very basic technician who does not know much about networking. All we do is that when we get new clients, we let him wander around and access the local administrator accounts and then link the computers to the domain. Any other rights he should not have other than using his account to do the linking business as aforementioned.
ASKER
I tried the above. But it doesn't work. I created the user, loged on on the client as a local administrator trried to join the client to the domain as the new user, but it tells me acess denied.
You may also need to set the access under the Domain Controller Security policy. On a DC there are 3 different areas to set various rights.
The local Group policy, the domain security policy and the domain controller policy. Set this setting on each of these, and it should work.
There may be another right needed, but I'm pretty sure there is only the one, but it certainly is possible, and no he will not be able to do any other administrative things, other than those he has rights to.
The local Group policy, the domain security policy and the domain controller policy. Set this setting on each of these, and it should work.
There may be another right needed, but I'm pretty sure there is only the one, but it certainly is possible, and no he will not be able to do any other administrative things, other than those he has rights to.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It can be done, he needs the "add workstation to domain" access right. Create the tech as a normal user, then open Domain Security Policy. Go to Local Policies, User rights assignment. Near the top is the Add workstation to domain right. Enable the right and add the tech's username to the list.
Browse the other rights to see if he will need any other functions, but that should allow him to join a computer to the domain, and create the computer account using his logon details and not an admins.