Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How to add pc to domain without domain admin rights

Posted on 2011-03-16
Medium Priority
Last Modified: 2012-06-27
need suggestions on how to add pc's to a domain without assigning domain admin rights to the user. what account type should they have? Domain controllers are 2008 and domain level is 2003
Question by:colmisdiv
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5

Expert Comment

ID: 35149383
Don't put the user in your Domain Admin's group.

When you join the PC to the domain it will ask for domain credentials.  Put in your credentials (assuming you are a Domain Admin and authorized to add machines to the domain).  You may need to put in the form of:


Author Comment

ID: 35149496
I want the network technician using their own credentials not mine.
LVL 10

Expert Comment

ID: 35149738
Option 1: You can create the computer account manually (using your domain admin-account). Then any user can join the PC to the domain given he has admin rights on the PC. The downside of this is that I think the user can join at most 10 computers to the domain that way.
Option 2: Grant the necessary rights on the OU to join a PC to the domain. The necessary permissions are the following:
On the computer objects in the OU:
  Reset Password
  Validated write to DNS host name
  Validated write to service principal name
  Write account restriction
And on "This object and all child objects"
  Create / Delete Computer Objects

We use this setup for quite some time now and have no problem whatsoever. The users which have been delegated these permissions can join computers to the domain without any problems.
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control


Author Comment

ID: 35149972
I don't see these permissions when i right click on the computers OU.
LVL 10

Expert Comment

ID: 35150405
If you go to the advanced options => Add, after you add the group you can choose
"apply to" to select "computer objects" or "this object and all child objects".
The mentioned permissions can be found in the object and properties-tabs.

Accepted Solution

colmisdiv earned 0 total points
ID: 35150765
This is what I did. Correct?

1.      Click Start, click Run, type dsa.msc, and then click OK.
2.      In the task pane, expand the domain node.
3.      Locate and right-click the OU that you want to modify, and then click Delegate Control.
4.      In the Delegation of Control Wizard, click Next.
5.      Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
6.      In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
7.      Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
8.      Click Next.
9.      In the Permissions list, click to select the following check boxes:
o      Reset Password
o      Read and write Account Restrictions
o      Validated write to DNS host name
o      Validated write to service principal name
10.      Click Next, and then click Finish
LVL 10

Expert Comment

ID: 35150936
I haven't tried using the Delegation of Control Wizard. Though it looks correct at first sight please check in the advanced permission settings that the permissions actually are set the way I have described. If that's the case it should work.

Author Comment

ID: 35150949
LVL 10

Expert Comment

ID: 35151003
Ok, if MS says so I guess it'll be correct. In the end the delegate control wizard does nothing different than setting the necessary permissions manually.
LVL 10

Expert Comment

ID: 35323336
Sorry, I don't understand why "it is working exactly as requested" is worth only 0 points.
I'd appreciate a more detailed explanation.

Author Closing Comment

ID: 35360789
It is working exactly as requested.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question