Link to home
Start Free TrialLog in
Avatar of NewbieAdmin
NewbieAdmin

asked on

Delegate control so users can add computers to a domain

We have a domain named ERL.emhiser.internal. I was wondering if you could give me step-by-step instructions on how to delegate the ability to ERL\Users to add computers to the ERL.emhiser.internal domain. In Active Directory I can see that by right clicking on the ‘Users’ folder you can select Delegate Control and the ‘Delegation of Control Wizard’ comes up. From there I need some info on what to specify for users and groups, the object type, and the permissions.

We need to delegate this control so we can add existing computers to the domain.  An associate of ours had done this previously and it allowed us to add the computers to the domain without using the ADMT for migration.  Bottom line is that we need to migrate these computers to a newly established domain of the same name as the previous.  (The previous DC had a catastrophic failure and the backup also failed!)  We just want to be able to transfer the computers so that we don't have to migrate the user accounts that exist on the computers.  Thanks in advance for the help.
Avatar of joedoe58
joedoe58

It is quite straighforward but you have additional info here http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/dsadmin_domain_delegate_control.htm

I would also like to ask some questions. You say that you have the user accounts still but not the computer accounts, how can that be? Both are stored in AD so if you have one you would have the ohter. Was this the only DC in the domain? If not then all data is stored on other DC's in your domain so you only need to reinstall OS on the crashed server to be up an running again
Avatar of NewbieAdmin

ASKER

We have two domains.  There was a catastrophic failure  on the only DC in the forest root and had to rebuild from scratch.  So, now we have a new domain with the same name as the old one.  We want to bring all the clients into the domain with their existing user profiles on each individual computer.  An associate was able to bring these computers into the new domain by delegating control somehow.  He is not available at the moment, and we will be recreating the second domain and performing the same procedure.  So, the computers and users exist on the clients not the DC. We have a small network (20-30 workstations) and don't want to use ADMT on the second (child) domain to bring all the users/computers back in because we are worried that there may be bad replication data in the existing AD.

I guess the bottom line is that we will be building a new AD but want to keep the existing clients logging in as before with their same logins, desktops, favorites, documents, profiles, etc.  The clients range in OS from 98 to XP Pro.  

Just to get the big flashing "Idiot" sign off of our forehead, our plan is to correct the flaws in the previous system by maintaining multiple DC's in each of these domains and to test the backups so that we don't run into this problem again.  But for now, we are just trying to get the two domains up and running with minimal impact on the employees.  
Sorry but I am still a bit at a loss here on what you want to accomplish. Do your users log in to the child domain or root domain? If the user and computer objects exist in the child domain then you should not have so much of a problem since you only have to create the root domain. Otherwise if you create new computer accounts and join the computers to the domain then they will receive default settings which means that all user settings will be lost.
Assume the we only have the one domain and that the only domain controller in that domain failed and the restore process failed.  So we have to bring up that domain from scratch.  All the users at their local computers need to log in to the newly created domain without losing all of the settings that exist on their local computer.  We want them to be able to log in as if nothing has happened to the domain controller.  What we had done previously with the help of someone else, was to transfer those local computers, users and accounts to the Active Directory of the newly created domain (somehow this was done by delegating control to add computers or users).  Thus we did not have to create all new accounts on the client machines and transfer the user settings to new profiles on the client computers.
ASKER CERTIFIED SOLUTION
Avatar of joedoe58
joedoe58

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial