?
Solved

Domain User Add Computers To Domain?

Posted on 2007-03-27
8
Medium Priority
?
1,355 Views
Last Modified: 2009-08-17
Windows 2003 Domain Controller, all computers in domain are Windows XP.

We have two new people in our group that we would like to be able to add computers to our domain.  They are regular "Domain Users", and we would like to keep them as such.  They will be adding computers via Control Panel >> System on the computer that is to be added.  How may we accomplish this?

I saw some threads regarding this, but it quickly got confusing.  I see that there is a policy on the DC at Domain Security Settings >> Security Settings >> User Rights Assignment that says "Add workstations to domain".

Will setting this policy (it is currently "not defined"):

a) OVERRIDE the default settings (as in, will I need to add Domain/Enterprise Admins to this policy as well?  or just those ADDITIONAL users I want to be adding computers?)

b)  Accomplish what I stated above.

Thank you.
0
Comment
Question by:dpsit
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 11

Accepted Solution

by:
AnthonyP9618 earned 1000 total points
ID: 18805167
Hello dpsit,

From a Newsgroup posting... http://groups.google.com/group/microsoft.public.windows.server.security/browse_thread/thread/efdfa32218673cd6/6a3a3329faf3c83e%236a3a3329faf3c83e

Create new group called e.g. "Add Workstation to Domain" and all the
accounts from your helpdesk to this group. Now edit "Default Domain
Controller" group policy under "Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment\". Here
look for policy named "Add workstations to domain" and double click on it.

Now add the group that you created (e.g. named "Add Workstation to Domain")
to this policy.

Wait for the replication to finish between the DCs and your help desk
personnel is now able to add workstations to domain.

Here is some more information on the policy.

Add workstations to domain
http://technet2.microsoft.com/WindowsServer/en/library/7207aa3e-d95d-4176-a1ca-bc629f1ca6981033.mspx?mfr=true
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18805171
by default a domain user can do what you are asking, you do not need to configure that policy
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18805173
too quick for me....
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18805178
:)

BTW... It's good to be back Jay!
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18805185
Goood mate :)
0
 
LVL 5

Expert Comment

by:IvanVillamizar
ID: 18805408
10 times, only. If the users need to add more than 10 workstations, then you need eiither the policy or perrmissions to create computer objects in the OU where you want them to join computers.
If they are going to add less than 10 workstations to the domain, then as stated above, nothing needs to be done.
0
 
LVL 4

Expert Comment

by:jmhquest
ID: 18805742
You may want to use a combination of setting the "add workstations to domain" user right on the default domain controllers policy (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment) and granting the "Create Computer Objects" permission on the AD Computers container.

This MSDN page may be helpful: http://msdn2.microsoft.com/en-us/library/ms813615.aspx

Cheers.
0
 
LVL 4

Expert Comment

by:jmhquest
ID: 18805757
Another Microsoft KB article you may find useful:

Enhanced security joining or resetting machine account in Windows 2000 domain

http://support.microsoft.com/kb/238793
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question