Go Premium for a chance to win a PS4. Enter to Win

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

Adding machines to domains for non-Administrators


we are running Server 2003 with AD and are having difficulty trying to set up a policy so that non-Administrators can add machines to the domain.

We have set the following policy on the DC:

Default Domain Policy\Windows Settings\Security Settings\Local Policies/User Rights Assignments\Add work stations to domains.

We have a security group configured for users that require this and have added it to the policy. However, they are still unable to add machines to the domain.

Is there anywhere else taht this should be done?

Any advice greatly appreciated.


Lewis Hardwick
1 Solution
I have never heard of such a thing. I have an understanding that you have to be a domain admin to add machines to the domain.????
LFMSupportAuthor Commented:
Agree'd that was my impresion. But I have definately spotted it.

I've uploaded a screen-shot so you can see where I mean.

<a href="http://img514.imageshack.us/my.php?image=adpolicy7ku.jpg" target="_blank"><img src="http://img514.imageshack.us/img514/844/adpolicy7ku.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
LFMSupportAuthor Commented:
OK, that didn't quite work...
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LFMSupportAuthor Commented:
You need NOT be an administrator to add workstations to the domain.  You need ONLY the "Add Workstation to Domain" user account privilege.  See:


for details on how to add this right to user accounts on the domain.
Interesting, didn't know you can do that...

Instead of messing with the default domain policy, how about create a new group policy in your domain. Make sure you add the non-admin security group on the security tab of the new group policy  and make sure the group is checked to 'apply group policy'. Then make sure that the new group policy is below the default domain policy in the link order, to ensure the new group policy isn't overridden.

Hope this helps
You can delegate the rights to a group.

Just right click on the domain name in Active Directory users and computers.

Select delegate Control.
Select the right of add workstation to domain, and select the group to which this permissions is to be delegated.

That it, after this all users in that group could add workstation to domain.
Dave RobinsonCommented:
You're applying this to the Default Domain Policy.

Try applying this to the Default Domain Controllers Policy in the Domain Controllers OU.
Dont provide this pilocy on the domain.

Insted Open teh Default domain controller security policy under the Administrative tool on windows 2003 domain controller.

In that add teh security group to the policy User rights assingment--> Add workstation to domain---> Add Your security group Here.

and this will work.

Best Of Luck

LFMSupportAuthor Commented:
Thanks Nitesh. That nailed it!



Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now