How to add pc to domain without domain admin rights

Posted on 2011-03-16
Last Modified: 2012-06-27
need suggestions on how to add pc's to a domain without assigning domain admin rights to the user. what account type should they have? Domain controllers are 2008 and domain level is 2003
Question by:colmisdiv
  • 5
  • 5

Expert Comment

ID: 35149383
Don't put the user in your Domain Admin's group.

When you join the PC to the domain it will ask for domain credentials.  Put in your credentials (assuming you are a Domain Admin and authorized to add machines to the domain).  You may need to put in the form of:


Author Comment

ID: 35149496
I want the network technician using their own credentials not mine.
LVL 10

Expert Comment

ID: 35149738
Option 1: You can create the computer account manually (using your domain admin-account). Then any user can join the PC to the domain given he has admin rights on the PC. The downside of this is that I think the user can join at most 10 computers to the domain that way.
Option 2: Grant the necessary rights on the OU to join a PC to the domain. The necessary permissions are the following:
On the computer objects in the OU:
  Reset Password
  Validated write to DNS host name
  Validated write to service principal name
  Write account restriction
And on "This object and all child objects"
  Create / Delete Computer Objects

We use this setup for quite some time now and have no problem whatsoever. The users which have been delegated these permissions can join computers to the domain without any problems.

Author Comment

ID: 35149972
I don't see these permissions when i right click on the computers OU.
LVL 10

Expert Comment

ID: 35150405
If you go to the advanced options => Add, after you add the group you can choose
"apply to" to select "computer objects" or "this object and all child objects".
The mentioned permissions can be found in the object and properties-tabs.
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.


Accepted Solution

colmisdiv earned 0 total points
ID: 35150765
This is what I did. Correct?

1.      Click Start, click Run, type dsa.msc, and then click OK.
2.      In the task pane, expand the domain node.
3.      Locate and right-click the OU that you want to modify, and then click Delegate Control.
4.      In the Delegation of Control Wizard, click Next.
5.      Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
6.      In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
7.      Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
8.      Click Next.
9.      In the Permissions list, click to select the following check boxes:
o      Reset Password
o      Read and write Account Restrictions
o      Validated write to DNS host name
o      Validated write to service principal name
10.      Click Next, and then click Finish
LVL 10

Expert Comment

ID: 35150936
I haven't tried using the Delegation of Control Wizard. Though it looks correct at first sight please check in the advanced permission settings that the permissions actually are set the way I have described. If that's the case it should work.

Author Comment

ID: 35150949
LVL 10

Expert Comment

ID: 35151003
Ok, if MS says so I guess it'll be correct. In the end the delegate control wizard does nothing different than setting the necessary permissions manually.
LVL 10

Expert Comment

ID: 35323336
Sorry, I don't understand why "it is working exactly as requested" is worth only 0 points.
I'd appreciate a more detailed explanation.

Author Closing Comment

ID: 35360789
It is working exactly as requested.

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now