Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Grant permission to add/remove computer from domain

Posted on 2008-01-30
Medium Priority
Last Modified: 2011-10-19
Hello,  I'd like to grant my Student Worker's domain account  the necessary permissions to add and remove computers from my domain. I'm pretty sure this can be accomplished through the Delegation Control wizard, but what object do I grant then what level of permission..

*Windows 2000/2003 Active Directory Domain*

Thanks in advance!
Question by:ehaley
  • 4
  • 3
  • 2
  • +1
LVL 31

Accepted Solution

Toni Uranjek earned 1000 total points
ID: 20782076

You have delegwiz.txt file with more options for Delegation of Control attached. Download, rename file to delegwiz.inf, replace delegwiz.inf file in %systemroot%\inf folder. Run wizard again and select appropriate tasks, for example:

"Join a computer to the domain"
"Create a computer account"


LVL 51

Assisted Solution

Netman66 earned 1000 total points
ID: 20782091
Use Delegation of Control.
Create an AD Security group and add this user to it.
For this Group grant Add/Delete child objects when selecting Computer objects.
Do this at the domain level.
When complete, open up the Security on the Domain in ADUC and change the permissions for this group to Full Control for computer objects only.

If the Group doesn't have Full Control of Computer Objects then they cannot rename, delete or move existing computer accounts.

Expert Comment

ID: 20782674
By default all members of the Domain Users group can join and disjoin computers to the network. Up to either 5 or 10.
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.


Author Comment

ID: 20788114
Toniur - This looks great, but do you have a link to this file on a Microsoft site. you must understand that I cannot run an .INF file on my network without it coming from a trusted source. Please do not take offense. I still wish to receive this file because it appears to add a lot of important items to the delegate Control Wizard.

Netman66 - I think this did the trick. I performed the steps as indicated above and my student worker was allowed to change his own workstation to a workgroup and back to the domain successfully.

LVNeptune - Incorrect, the ability to add-remove computer on a Windows 2000/2003 Active Directory domain is restricted to Domain Administrators, and as we see above, individuals whose accounts are granted the proper privileges.

Thank You all for your input!
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20788609
None taken, I've thought it would be easier for you. ;)

Here is link to "Appendix O: Active Directory Delegation Wizard File" from Microsoft:

Expert Comment

ID: 20789786
LVNeptune - Incorrect, the ability to add-remove computer on a Windows 2000/2003 Active Directory domain is restricted to Domain Administrators, and as we see above, individuals whose accounts are granted the proper privileges.

Are you talking about adding and removing the machine from ADUC? If so that may be true.


"Windows 2000 grants the "Add workstations to domain" privilege to the Authenticated Users group by default"

Direct from microsoft.
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20789894
LVNeptune, correct. :D Any user can add up to 10 computers to domain by default.

Expert Comment

ID: 20789915
I am confused why I am being told I am incorrect...
LVL 51

Expert Comment

ID: 20789954
Regardless of what the texts say, try adding a computer to a domain as a normal user.

To begin with, you'd need to be local Admin to get the workstation part started off, but in the end you'll get denied.

He wanted a helper to have this right permanently rather than limit him to 5 joins (even if it worked).

LVL 31

Expert Comment

by:Toni Uranjek
ID: 20790141
Netman66, I have never have problems to add computer to domain with standard domain user account, of course process has to be initiated with member of local administrators group.
I believe default qouta is 10.

IMHO, LVNeptun suggestion can work but in this case does not help, because asker wants his helpers to join "unlimited" number of computers to domain.

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question