Solved

Active Directory account permission - add\remove computers from forest

Posted on 2009-05-20
2
1,070 Views
Last Modified: 2013-12-04
Hello -

I have a customer request to create a domain\forest account that has permission to add and remove computers.  Can someone please tell me what rights and\or group memberships this account should be given?

Thanks very much in advance -
0
Comment
Question by:sfrft99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
ID: 24432211
Here's the suggestion:
If you need to have helpdesk folks to be able to join/disjoin computers to the domain, you need to do the followings:
1. Create a group, something like HelpdeskAdmins
2. Add all the needed users to this group
3. Create an OU where you want them to be able to move/remove the computer object to this OU after the object is added to the domain.
4. Delgate the permission of this OU where they can add and remove computer object to this OU.
5. You also need to delgate the add/remove computer permission to the default Computer container as by default the computer is added to the Computer container. Unless you pre-create the computer object in the above OU before they join the computer to the domain.

Hope this help but in case you need the steps for delgation:
1. Right-click the OU which you want the computers added, and select Delegate Control.
2. click Next.
3. click Add.
4. After adding all the group, click Next.
5. Select Create custom task to delegate and click Next.
6. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and click Next.
8. Check the Create all child object box and click Next.
9. click Finish.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question