create a win2k3 domain account for someone to join PCs to the domain.
Can someone remind me if I need to create a domain account for someone to be able to join the WIN2K3 AD domain, what steps are needed?
I think by default, each domain account can join the PCs to the domain but it is limited to 20 times, right?
Thanks in advance.
I think by default, each domain account can join the PCs to the domain but it is limited to 20 times, right?
Thanks in advance.
I am not sure whether I understand your question correctly.
Do you want to create an account specifcally for joining PCs to domain ?
Do you want to create an account specifcally for joining PCs to domain ?
Hi nav2567,
There are 2 ways to do this -
A. DELEGATATION - You assign this role to a designated account and for this you will need to use "Active Directory Users and Computers" console.
--------------------------
1. Open the Active Directory Users and Computers snap-in.
2. Right-click the container under which you want the computers added, and press Delegate Control.
3. Press Next.
4. Press Add.
5. After adding all the users and/or groups, press Next.
6. Select Create custom task to delegate and press Next.
7. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and press Next.
8. Check the Create all child object box and press Next.
9. Press Finish.
--------------------------
B. Using Rights- Assignment in Group Policy.
--------------------------
1. Open the Default Domain Group policy.
2. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.
3. Expand User Rights Assignment.
4. Double-click Add workstations to Domain.
5. Check the Define these policy settings box.
6. Press the Add User or Group button.
7. Complete the dialog to add the user or group.
8. Press Apply and OK.
--------------------------
Reference used - http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx
There are 2 ways to do this -
A. DELEGATATION - You assign this role to a designated account and for this you will need to use "Active Directory Users and Computers" console.
--------------------------
1. Open the Active Directory Users and Computers snap-in.
2. Right-click the container under which you want the computers added, and press Delegate Control.
3. Press Next.
4. Press Add.
5. After adding all the users and/or groups, press Next.
6. Select Create custom task to delegate and press Next.
7. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and press Next.
8. Check the Create all child object box and press Next.
9. Press Finish.
--------------------------
B. Using Rights- Assignment in Group Policy.
--------------------------
1. Open the Default Domain Group policy.
2. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.
3. Expand User Rights Assignment.
4. Double-click Add workstations to Domain.
5. Check the Define these policy settings box.
6. Press the Add User or Group button.
7. Complete the dialog to add the user or group.
8. Press Apply and OK.
--------------------------
Reference used - http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx
BY Default any user can join up to 10 computers to the domain if you want to create a service account to add automatically built machines you will need to assign the user specific rights to do this. Let me know if you need to this and I will dig out the rights
pubeheed - Is there any KB article from Microsoft that states this restriction ?
pubeheed - Thank you for the article.
ASKER
Thanks everyone. I will test what you suggest and reply later. I really appreciate for everyone's feedback.
NO worries arunraj happy to help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks.
you can create a new user, and assign them the right to join pc's to the domain (in their security tab)