Solved

Adding machines to domains for non-Administrators

Posted on 2006-06-16
10
302 Views
Last Modified: 2010-04-11
Hi,

we are running Server 2003 with AD and are having difficulty trying to set up a policy so that non-Administrators can add machines to the domain.

We have set the following policy on the DC:

Default Domain Policy\Windows Settings\Security Settings\Local Policies/User Rights Assignments\Add work stations to domains.

We have a security group configured for users that require this and have added it to the policy. However, they are still unable to add machines to the domain.

Is there anywhere else taht this should be done?

Any advice greatly appreciated.

Thanks

Lewis Hardwick
0
Comment
Question by:LFMSupport
10 Comments
 
LVL 13

Expert Comment

by:marine7275
ID: 16920670
I have never heard of such a thing. I have an understanding that you have to be a domain admin to add machines to the domain.????
0
 
LVL 1

Author Comment

by:LFMSupport
ID: 16920841
Agree'd that was my impresion. But I have definately spotted it.

I've uploaded a screen-shot so you can see where I mean.

<a href="http://img514.imageshack.us/my.php?image=adpolicy7ku.jpg" target="_blank"><img src="http://img514.imageshack.us/img514/844/adpolicy7ku.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
0
 
LVL 1

Author Comment

by:LFMSupport
ID: 16920858
OK, that didn't quite work...
0
 
LVL 1

Author Comment

by:LFMSupport
ID: 16920874
0
 
LVL 32

Expert Comment

by:jhance
ID: 16921395
You need NOT be an administrator to add workstations to the domain.  You need ONLY the "Add Workstation to Domain" user account privilege.  See:

http://www.netswitcher.com/V3/V3FAQ/netswitcher_v3_faq.htm#ADDOMAIN

for details on how to add this right to user accounts on the domain.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 12

Expert Comment

by:NetAdmin2436
ID: 16923836
Interesting, didn't know you can do that...

Instead of messing with the default domain policy, how about create a new group policy in your domain. Make sure you add the non-admin security group on the security tab of the new group policy  and make sure the group is checked to 'apply group policy'. Then make sure that the new group policy is below the default domain policy in the link order, to ensure the new group policy isn't overridden.

Hope this helps
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16923954
You can delegate the rights to a group.

Just right click on the domain name in Active Directory users and computers.

Select delegate Control.
Select the right of add workstation to domain, and select the group to which this permissions is to be delegated.

That it, after this all users in that group could add workstation to domain.
0
 
LVL 2

Expert Comment

by:Dave Robinson
ID: 16942156
You're applying this to the Default Domain Policy.

Try applying this to the Default Domain Controllers Policy in the Domain Controllers OU.
0
 
LVL 3

Accepted Solution

by:
iwontleaveyou earned 125 total points
ID: 16954648
Dont provide this pilocy on the domain.

Insted Open teh Default domain controller security policy under the Administrative tool on windows 2003 domain controller.

In that add teh security group to the policy User rights assingment--> Add workstation to domain---> Add Your security group Here.

and this will work.

Best Of Luck

Regards
Nitesh
0
 
LVL 1

Author Comment

by:LFMSupport
ID: 16991479
Thanks Nitesh. That nailed it!

Regards

Lewis
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now