Solved

Domain User Add Computers To Domain?

Posted on 2007-03-27
8
1,347 Views
Last Modified: 2009-08-17
Windows 2003 Domain Controller, all computers in domain are Windows XP.

We have two new people in our group that we would like to be able to add computers to our domain.  They are regular "Domain Users", and we would like to keep them as such.  They will be adding computers via Control Panel >> System on the computer that is to be added.  How may we accomplish this?

I saw some threads regarding this, but it quickly got confusing.  I see that there is a policy on the DC at Domain Security Settings >> Security Settings >> User Rights Assignment that says "Add workstations to domain".

Will setting this policy (it is currently "not defined"):

a) OVERRIDE the default settings (as in, will I need to add Domain/Enterprise Admins to this policy as well?  or just those ADDITIONAL users I want to be adding computers?)

b)  Accomplish what I stated above.

Thank you.
0
Comment
Question by:dpsit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 11

Accepted Solution

by:
AnthonyP9618 earned 250 total points
ID: 18805167
Hello dpsit,

From a Newsgroup posting... http://groups.google.com/group/microsoft.public.windows.server.security/browse_thread/thread/efdfa32218673cd6/6a3a3329faf3c83e%236a3a3329faf3c83e

Create new group called e.g. "Add Workstation to Domain" and all the
accounts from your helpdesk to this group. Now edit "Default Domain
Controller" group policy under "Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment\". Here
look for policy named "Add workstations to domain" and double click on it.

Now add the group that you created (e.g. named "Add Workstation to Domain")
to this policy.

Wait for the replication to finish between the DCs and your help desk
personnel is now able to add workstations to domain.

Here is some more information on the policy.

Add workstations to domain
http://technet2.microsoft.com/WindowsServer/en/library/7207aa3e-d95d-4176-a1ca-bc629f1ca6981033.mspx?mfr=true
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18805171
by default a domain user can do what you are asking, you do not need to configure that policy
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18805173
too quick for me....
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18805178
:)

BTW... It's good to be back Jay!
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18805185
Goood mate :)
0
 
LVL 5

Expert Comment

by:IvanVillamizar
ID: 18805408
10 times, only. If the users need to add more than 10 workstations, then you need eiither the policy or perrmissions to create computer objects in the OU where you want them to join computers.
If they are going to add less than 10 workstations to the domain, then as stated above, nothing needs to be done.
0
 
LVL 4

Expert Comment

by:jmhquest
ID: 18805742
You may want to use a combination of setting the "add workstations to domain" user right on the default domain controllers policy (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment) and granting the "Create Computer Objects" permission on the AD Computers container.

This MSDN page may be helpful: http://msdn2.microsoft.com/en-us/library/ms813615.aspx

Cheers.
0
 
LVL 4

Expert Comment

by:jmhquest
ID: 18805757
Another Microsoft KB article you may find useful:

Enhanced security joining or resetting machine account in Windows 2000 domain

http://support.microsoft.com/kb/238793
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question