Solved

Active Directory account permission - add\remove computers from forest

Posted on 2009-05-20
2
1,069 Views
Last Modified: 2013-12-04
Hello -

I have a customer request to create a domain\forest account that has permission to add and remove computers.  Can someone please tell me what rights and\or group memberships this account should be given?

Thanks very much in advance -
0
Comment
Question by:sfrft99
2 Comments
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
ID: 24432211
Here's the suggestion:
If you need to have helpdesk folks to be able to join/disjoin computers to the domain, you need to do the followings:
1. Create a group, something like HelpdeskAdmins
2. Add all the needed users to this group
3. Create an OU where you want them to be able to move/remove the computer object to this OU after the object is added to the domain.
4. Delgate the permission of this OU where they can add and remove computer object to this OU.
5. You also need to delgate the add/remove computer permission to the default Computer container as by default the computer is added to the Computer container. Unless you pre-create the computer object in the above OU before they join the computer to the domain.

Hope this help but in case you need the steps for delgation:
1. Right-click the OU which you want the computers added, and select Delegate Control.
2. click Next.
3. click Add.
4. After adding all the group, click Next.
5. Select Create custom task to delegate and click Next.
6. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and click Next.
8. Check the Create all child object box and click Next.
9. click Finish.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question