How do I delegate domain users to change passwords and join computers to domain?

Posted on 2009-02-24
Last Modified: 2012-05-06
I am not sure exactly what I am doing wrong here, however, I have ran the AD Delegation Wizard and added a Global Security group at the root of our Domain so that some of my users can change passwords and join computers to the domain.  I have not changed any settings in our Default Group Policy and when the users try and join the machines to the Domain they are getting "Access Is Denied"  

If anyone can point me in the right direction here it would be greatly appreciated.
Question by:bob_kochanski
    LVL 18

    Expert Comment

    Depening on the process of your user use to join computer to a domain. If you don't create the computer account first in the appropriate OU, then the computer account will be created in the "Computers" container which by default user do not have right to create any object there.
    LVL 18

    Accepted Solution

    Also, you don't want to delgate users to be able to reset password or even join computer to the domain at the domain level. It is too risky at this level, only Domain Admins should have access to this level.

    Here's the suggestion:
    If you need to have helpdesk folks to be able to join/disjoin computers to the domain, you need to do the followings:
    1. Create a group, something like HelpdeskAdmins
    2. Add all the needed users to this group
    3. Create an OU where you want them to be able to move/remove the computer object to this OU after the object is added to the domain.
    4. Delgate the permission of this OU where they can add and remove computer object to this OU.
    5. You also need to delgate the add/remove computer permission to the default Computer container as by default the computer is added to the Computer container. Unless you pre-create the computer object in the above OU before they join the computer to the domain.

    Hope this help but in case you need the steps for delgation:
    Install GPMC if you haven't, and run the GPMC Console.
    1. Right-click the OU which you want the computers added, and select Delegate Control.
    2. click Next.
    3. click Add.
    4. After adding all the group, click Next.
    5. Select Create custom task to delegate and click Next.
    6. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and click Next.
    8. Check the Create all child object box and click Next.
    9. click Finish.

    As far as resetting user password etc, use the same delgation process but instead to OU of computers, you would delgate to OU of user account..

    Author Closing Comment

    Thanks much, worked perfectly.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now