Solved

Need user that can add and remove computers from domain

Posted on 2010-09-04
10
745 Views
Last Modified: 2013-12-23
How can I allow a user to join  and remove computers from our domain without making them domain admins?  Our computer objects are created in different OUs, but all OUs are under OurOrg_Computers.  I have created a user called DomainMgr, what must I do to give him the ability to add and remove computers from our domain?
0
Comment
Question by:bpl5000
10 Comments
 
LVL 14

Accepted Solution

by:
Shabarinath Ramadasan earned 300 total points
ID: 33604257
Use delegation on the required OU.
Using Active Directory Users and Computers
-> Browse to the OU which you have all computers
-> Right Click and select Delegate Control.
You need to select the right option to add /remove computer objects
Thats all you need.

Always give the least permissions - Thumb rule in IT Infrastructure Security.

Good luck
Shaba
0
 
LVL 1

Expert Comment

by:ManoranjanSinha
ID: 33604279
Yes , Go through the above mention steps:-
i.e From Adminstrative tools--Active Directory Users and Computers--Browse to the OU which you have all computers--Right Click and select Delegate Control--And selection the option to add /remove object.
0
 
LVL 7

Assisted Solution

by:Mohamed Khairy
Mohamed Khairy earned 200 total points
ID: 33605070
By default, any authenticated user has the right to join computers and can create up to 10 computer accounts in the domain and to accomplish your request, you have to delegate the appropriate user rights through the Active Directory Users and Computers console as previously explained on experts comments but you have to take care from the permission step because you may receive the access denied error message.

Here are the detailed steps as came in Microsoft article: http://support.microsoft.com/kb/932455


1- Click Start, click Run, type dsa.msc, and then click OK.

2- In the task pane, expand the domain node.

3- Locate and right-click the OU that you want to modify, and then click Delegate Control.

4- In the Delegation of Control Wizard, click Next.

5- Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.

6- In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

7- Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.

8- Click Next.

9- In the Permissions list, click to select the following check boxes:

- Reset Password
- Read and write Account Restrictions
- Validated write to DNS host name
- Validated write to service principal name

10- Click Next, and then click Finish.

11- Close the "Active Directory Users and Computers" MMC snap-in

Wish this may help.

Regards,
MKhairy


0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33606120
You can also simply add user or group into Account Administrators grup in AD. It will solve your needs
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 33606138
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 33606181
@ iSiek: Administrators can join computers to the domain without any issues and I think that bpl5000 is asking about granting the mentioned right or access to an ordinary user which can be a member of helpdesk team or his delegate and in this case he don't want him/her to be granted unnecessary rights.

It a way of security nothing more than that.

0
 
LVL 5

Author Comment

by:bpl5000
ID: 33607239
@mkhairy, that is very interesting about the access denied error even after being delegated permission to do so.  I guess what I'll first do is set things up the way shabarinath has suggested and if I get errors, I'll do the steps that you listed.

Thanks for all the help!
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 33607306
you are most welcome, wish you all the success.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 33614391
I am just now following shabarinath instructions, but there doesn't seem to be an option of "add /remove computer objects" when delegating on an OU.  I see Create, Delete and Manage User Accounts, but nothing about computer accounts.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 33614781
Ok, it seems to me you need to go to the Properties of the OU, then the security tab, then Advanced, then add the users with the rights to Create Computer Objects and Delete Computer Objects.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now