[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Active Directory account permission - add\remove computers from forest

Posted on 2009-05-20
2
Medium Priority
?
1,077 Views
Last Modified: 2013-12-04
Hello -

I have a customer request to create a domain\forest account that has permission to add and remove computers.  Can someone please tell me what rights and\or group memberships this account should be given?

Thanks very much in advance -
0
Comment
Question by:sfrft99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 18

Accepted Solution

by:
Americom earned 2000 total points
ID: 24432211
Here's the suggestion:
If you need to have helpdesk folks to be able to join/disjoin computers to the domain, you need to do the followings:
1. Create a group, something like HelpdeskAdmins
2. Add all the needed users to this group
3. Create an OU where you want them to be able to move/remove the computer object to this OU after the object is added to the domain.
4. Delgate the permission of this OU where they can add and remove computer object to this OU.
5. You also need to delgate the add/remove computer permission to the default Computer container as by default the computer is added to the Computer container. Unless you pre-create the computer object in the above OU before they join the computer to the domain.

Hope this help but in case you need the steps for delgation:
1. Right-click the OU which you want the computers added, and select Delegate Control.
2. click Next.
3. click Add.
4. After adding all the group, click Next.
5. Select Create custom task to delegate and click Next.
6. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and click Next.
8. Check the Create all child object box and click Next.
9. click Finish.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question