LFMSupport
asked on
Adding machines to domains for non-Administrators
Hi,
we are running Server 2003 with AD and are having difficulty trying to set up a policy so that non-Administrators can add machines to the domain.
We have set the following policy on the DC:
Default Domain Policy\Windows Settings\Security Settings\Local Policies/User Rights Assignments\Add work stations to domains.
We have a security group configured for users that require this and have added it to the policy. However, they are still unable to add machines to the domain.
Is there anywhere else taht this should be done?
Any advice greatly appreciated.
Thanks
Lewis Hardwick
we are running Server 2003 with AD and are having difficulty trying to set up a policy so that non-Administrators can add machines to the domain.
We have set the following policy on the DC:
Default Domain Policy\Windows Settings\Security Settings\Local Policies/User Rights Assignments\Add work stations to domains.
We have a security group configured for users that require this and have added it to the policy. However, they are still unable to add machines to the domain.
Is there anywhere else taht this should be done?
Any advice greatly appreciated.
Thanks
Lewis Hardwick
I have never heard of such a thing. I have an understanding that you have to be a domain admin to add machines to the domain.????
ASKER
Agree'd that was my impresion. But I have definately spotted it.
I've uploaded a screen-shot so you can see where I mean.
<a href="http://img514.imageshack.us/my.php?image=adpolicy7ku.jpg" target="_blank"><img src="http://img514.imageshack.us/img514/844/adpolicy7ku.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
I've uploaded a screen-shot so you can see where I mean.
<a href="http://img514.imageshack.us/my.php?image=adpolicy7ku.jpg" target="_blank"><img src="http://img514.imageshack.us/img514/844/adpolicy7ku.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
ASKER
OK, that didn't quite work...
ASKER
Here... Sorry!
http://img514.imageshack.us/img514/844/adpolicy7ku.jpg
http://img514.imageshack.us/img514/844/adpolicy7ku.jpg
You need NOT be an administrator to add workstations to the domain. You need ONLY the "Add Workstation to Domain" user account privilege. See:
http://www.netswitcher.com/V3/V3FAQ/netswitcher_v3_faq.htm#ADDOMAIN
for details on how to add this right to user accounts on the domain.
http://www.netswitcher.com/V3/V3FAQ/netswitcher_v3_faq.htm#ADDOMAIN
for details on how to add this right to user accounts on the domain.
Interesting, didn't know you can do that...
Instead of messing with the default domain policy, how about create a new group policy in your domain. Make sure you add the non-admin security group on the security tab of the new group policy and make sure the group is checked to 'apply group policy'. Then make sure that the new group policy is below the default domain policy in the link order, to ensure the new group policy isn't overridden.
Hope this helps
Instead of messing with the default domain policy, how about create a new group policy in your domain. Make sure you add the non-admin security group on the security tab of the new group policy and make sure the group is checked to 'apply group policy'. Then make sure that the new group policy is below the default domain policy in the link order, to ensure the new group policy isn't overridden.
Hope this helps
You can delegate the rights to a group.
Just right click on the domain name in Active Directory users and computers.
Select delegate Control.
Select the right of add workstation to domain, and select the group to which this permissions is to be delegated.
That it, after this all users in that group could add workstation to domain.
Just right click on the domain name in Active Directory users and computers.
Select delegate Control.
Select the right of add workstation to domain, and select the group to which this permissions is to be delegated.
That it, after this all users in that group could add workstation to domain.
You're applying this to the Default Domain Policy.
Try applying this to the Default Domain Controllers Policy in the Domain Controllers OU.
Try applying this to the Default Domain Controllers Policy in the Domain Controllers OU.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Nitesh. That nailed it!
Regards
Lewis
Regards
Lewis