?
Solved

Need user that can add and remove computers from domain

Posted on 2010-09-04
10
Medium Priority
?
753 Views
Last Modified: 2013-12-23
How can I allow a user to join  and remove computers from our domain without making them domain admins?  Our computer objects are created in different OUs, but all OUs are under OurOrg_Computers.  I have created a user called DomainMgr, what must I do to give him the ability to add and remove computers from our domain?
0
Comment
Question by:bpl5000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 14

Accepted Solution

by:
Shabarinath Ramadasan earned 1200 total points
ID: 33604257
Use delegation on the required OU.
Using Active Directory Users and Computers
-> Browse to the OU which you have all computers
-> Right Click and select Delegate Control.
You need to select the right option to add /remove computer objects
Thats all you need.

Always give the least permissions - Thumb rule in IT Infrastructure Security.

Good luck
Shaba
0
 
LVL 1

Expert Comment

by:ManoranjanSinha
ID: 33604279
Yes , Go through the above mention steps:-
i.e From Adminstrative tools--Active Directory Users and Computers--Browse to the OU which you have all computers--Right Click and select Delegate Control--And selection the option to add /remove object.
0
 
LVL 7

Assisted Solution

by:Mohamed Khairy
Mohamed Khairy earned 800 total points
ID: 33605070
By default, any authenticated user has the right to join computers and can create up to 10 computer accounts in the domain and to accomplish your request, you have to delegate the appropriate user rights through the Active Directory Users and Computers console as previously explained on experts comments but you have to take care from the permission step because you may receive the access denied error message.

Here are the detailed steps as came in Microsoft article: http://support.microsoft.com/kb/932455


1- Click Start, click Run, type dsa.msc, and then click OK.

2- In the task pane, expand the domain node.

3- Locate and right-click the OU that you want to modify, and then click Delegate Control.

4- In the Delegation of Control Wizard, click Next.

5- Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.

6- In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

7- Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.

8- Click Next.

9- In the Permissions list, click to select the following check boxes:

- Reset Password
- Read and write Account Restrictions
- Validated write to DNS host name
- Validated write to service principal name

10- Click Next, and then click Finish.

11- Close the "Active Directory Users and Computers" MMC snap-in

Wish this may help.

Regards,
MKhairy


0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33606120
You can also simply add user or group into Account Administrators grup in AD. It will solve your needs
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 33606138
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 33606181
@ iSiek: Administrators can join computers to the domain without any issues and I think that bpl5000 is asking about granting the mentioned right or access to an ordinary user which can be a member of helpdesk team or his delegate and in this case he don't want him/her to be granted unnecessary rights.

It a way of security nothing more than that.

0
 
LVL 5

Author Comment

by:bpl5000
ID: 33607239
@mkhairy, that is very interesting about the access denied error even after being delegated permission to do so.  I guess what I'll first do is set things up the way shabarinath has suggested and if I get errors, I'll do the steps that you listed.

Thanks for all the help!
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 33607306
you are most welcome, wish you all the success.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 33614391
I am just now following shabarinath instructions, but there doesn't seem to be an option of "add /remove computer objects" when delegating on an OU.  I see Create, Delete and Manage User Accounts, but nothing about computer accounts.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 33614781
Ok, it seems to me you need to go to the Properties of the OU, then the security tab, then Advanced, then add the users with the rights to Create Computer Objects and Delete Computer Objects.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question