asked on Join computer to a domain
I am sure I have asked this question in the past, but still need one more detail about it.
let say I want to our help desk group to be able to join computers to the domain.
1-I will create a computer account in an OU where it supposed to go
2-Delegate Create computer object to help desk group.
From here I am not sure if helpdesk group needs to be member of Administrators group in the workstation before they join it to the domain, or just delegation will take care of it.
Thanks
let say I want to our help desk group to be able to join computers to the domain.
1-I will create a computer account in an OU where it supposed to go
2-Delegate Create computer object to help desk group.
From here I am not sure if helpdesk group needs to be member of Administrators group in the workstation before they join it to the domain, or just delegation will take care of it.
Thanks
Active Directory
Last Comment
djhath
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I think that the link was also asserting that the help desk group would likely only need the account operators group on the domain level.
Otherwise, though I haven't tested it, the instructions they provide to delegate the ability to join PCs to the domain seems otherwise straightforward. I'm actually going to give that a shot myself with that link, because I have a similar need to having a user be able to perform that function, which not having to grant them account operators group permission would be nice.
Otherwise, though I haven't tested it, the instructions they provide to delegate the ability to join PCs to the domain seems otherwise straightforward. I'm actually going to give that a shot myself with that link, because I have a similar need to having a user be able to perform that function, which not having to grant them account operators group permission would be nice.
ASKER
So all I need is to use the delegation as follows:
Click Start, click Run, type dsa.msc, and then click OK.
In the task pane, expand the domain node.
Locate and right-click the OU that you want to modify, and then click Delegate Control.
In the Delegation of Control Wizard, click Next.
Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
Click Only the following objects in the folder, and then from the list, click to select the following check boxes:
Computer objects
Create selected objects in this folder
Delete selected objects in this folder
Click Next.
In the Permissions list, click to select the following check boxes:
Reset Password
Validated write to DNS host name
Read and write Account Restrictions
Validated write to service principal name
Click Next, and then click Finish.
Close the "Active Directory Users and Computers" MMC snap-in.
Click Start, click Run, type dsa.msc, and then click OK.
In the task pane, expand the domain node.
Locate and right-click the OU that you want to modify, and then click Delegate Control.
In the Delegation of Control Wizard, click Next.
Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
Click Only the following objects in the folder, and then from the list, click to select the following check boxes:
Computer objects
Create selected objects in this folder
Delete selected objects in this folder
Click Next.
In the Permissions list, click to select the following check boxes:
Reset Password
Validated write to DNS host name
Read and write Account Restrictions
Validated write to service principal name
Click Next, and then click Finish.
Close the "Active Directory Users and Computers" MMC snap-in.
I'm sending myself an e-mail with this link to remember to try this tomorrow. I'll let you know how I make out.
Well, that didn't end up working for me, strangely. I'll see what else I can find.
This did it for me - https://www.experts-exchange.com/questions/22705592/Can-not-join-computer-to-the-domain.html
(see accepted solution)
(see accepted solution)
Good work!!
ASKER
djhath:
on the link above, I don't see which procedure resolved the issue.
Can you paste here the steps to take ?
on the link above, I don't see which procedure resolved the issue.
Can you paste here the steps to take ?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
so I don't need to add the help desk group to the local workstation administrator group?
No. I tested on a machine that was just being turned on for the first time and didn't make any modifications to local administrator security.
http://support.microsoft.com/default.aspx/kb/932455