Solved

Adding machines to domains for non-Administrators

Posted on 2006-06-16
10
305 Views
Last Modified: 2010-04-11
Hi,

we are running Server 2003 with AD and are having difficulty trying to set up a policy so that non-Administrators can add machines to the domain.

We have set the following policy on the DC:

Default Domain Policy\Windows Settings\Security Settings\Local Policies/User Rights Assignments\Add work stations to domains.

We have a security group configured for users that require this and have added it to the policy. However, they are still unable to add machines to the domain.

Is there anywhere else taht this should be done?

Any advice greatly appreciated.

Thanks

Lewis Hardwick
0
Comment
Question by:LFMSupport
10 Comments
 
LVL 13

Expert Comment

by:marine7275
ID: 16920670
I have never heard of such a thing. I have an understanding that you have to be a domain admin to add machines to the domain.????
0
 
LVL 1

Author Comment

by:LFMSupport
ID: 16920841
Agree'd that was my impresion. But I have definately spotted it.

I've uploaded a screen-shot so you can see where I mean.

<a href="http://img514.imageshack.us/my.php?image=adpolicy7ku.jpg" target="_blank"><img src="http://img514.imageshack.us/img514/844/adpolicy7ku.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
0
 
LVL 1

Author Comment

by:LFMSupport
ID: 16920858
OK, that didn't quite work...
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 1

Author Comment

by:LFMSupport
ID: 16920874
0
 
LVL 32

Expert Comment

by:jhance
ID: 16921395
You need NOT be an administrator to add workstations to the domain.  You need ONLY the "Add Workstation to Domain" user account privilege.  See:

http://www.netswitcher.com/V3/V3FAQ/netswitcher_v3_faq.htm#ADDOMAIN

for details on how to add this right to user accounts on the domain.
0
 
LVL 12

Expert Comment

by:NetAdmin2436
ID: 16923836
Interesting, didn't know you can do that...

Instead of messing with the default domain policy, how about create a new group policy in your domain. Make sure you add the non-admin security group on the security tab of the new group policy  and make sure the group is checked to 'apply group policy'. Then make sure that the new group policy is below the default domain policy in the link order, to ensure the new group policy isn't overridden.

Hope this helps
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16923954
You can delegate the rights to a group.

Just right click on the domain name in Active Directory users and computers.

Select delegate Control.
Select the right of add workstation to domain, and select the group to which this permissions is to be delegated.

That it, after this all users in that group could add workstation to domain.
0
 
LVL 2

Expert Comment

by:Dave Robinson
ID: 16942156
You're applying this to the Default Domain Policy.

Try applying this to the Default Domain Controllers Policy in the Domain Controllers OU.
0
 
LVL 3

Accepted Solution

by:
iwontleaveyou earned 125 total points
ID: 16954648
Dont provide this pilocy on the domain.

Insted Open teh Default domain controller security policy under the Administrative tool on windows 2003 domain controller.

In that add teh security group to the policy User rights assingment--> Add workstation to domain---> Add Your security group Here.

and this will work.

Best Of Luck

Regards
Nitesh
0
 
LVL 1

Author Comment

by:LFMSupport
ID: 16991479
Thanks Nitesh. That nailed it!

Regards

Lewis
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how can I resolve Threat Has Been Detected message by AVAST? 4 166
How do You Stop a DDoS Attack 7 47
save browser passwords 11 71
physical security query stockroom concern 8 48
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question