Adding machines to domains for non-Administrators


we are running Server 2003 with AD and are having difficulty trying to set up a policy so that non-Administrators can add machines to the domain.

We have set the following policy on the DC:

Default Domain Policy\Windows Settings\Security Settings\Local Policies/User Rights Assignments\Add work stations to domains.

We have a security group configured for users that require this and have added it to the policy. However, they are still unable to add machines to the domain.

Is there anywhere else taht this should be done?

Any advice greatly appreciated.


Lewis Hardwick
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

iwontleaveyouConnect With a Mentor Commented:
Dont provide this pilocy on the domain.

Insted Open teh Default domain controller security policy under the Administrative tool on windows 2003 domain controller.

In that add teh security group to the policy User rights assingment--> Add workstation to domain---> Add Your security group Here.

and this will work.

Best Of Luck

I have never heard of such a thing. I have an understanding that you have to be a domain admin to add machines to the domain.????
LFMSupportAuthor Commented:
Agree'd that was my impresion. But I have definately spotted it.

I've uploaded a screen-shot so you can see where I mean.

<a href="" target="_blank"><img src="" border="0" alt="Free Image Hosting at" /></a>
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

LFMSupportAuthor Commented:
OK, that didn't quite work...
LFMSupportAuthor Commented:
You need NOT be an administrator to add workstations to the domain.  You need ONLY the "Add Workstation to Domain" user account privilege.  See:

for details on how to add this right to user accounts on the domain.
Interesting, didn't know you can do that...

Instead of messing with the default domain policy, how about create a new group policy in your domain. Make sure you add the non-admin security group on the security tab of the new group policy  and make sure the group is checked to 'apply group policy'. Then make sure that the new group policy is below the default domain policy in the link order, to ensure the new group policy isn't overridden.

Hope this helps
You can delegate the rights to a group.

Just right click on the domain name in Active Directory users and computers.

Select delegate Control.
Select the right of add workstation to domain, and select the group to which this permissions is to be delegated.

That it, after this all users in that group could add workstation to domain.
Dave RobinsonCommented:
You're applying this to the Default Domain Policy.

Try applying this to the Default Domain Controllers Policy in the Domain Controllers OU.
LFMSupportAuthor Commented:
Thanks Nitesh. That nailed it!


All Courses

From novice to tech pro — start learning today.