How to add pc to domain without domain admin rights

Posted on 2011-03-16
Last Modified: 2012-06-27
need suggestions on how to add pc's to a domain without assigning domain admin rights to the user. what account type should they have? Domain controllers are 2008 and domain level is 2003
Question by:colmisdiv
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5

Expert Comment

ID: 35149383
Don't put the user in your Domain Admin's group.

When you join the PC to the domain it will ask for domain credentials.  Put in your credentials (assuming you are a Domain Admin and authorized to add machines to the domain).  You may need to put in the form of:


Author Comment

ID: 35149496
I want the network technician using their own credentials not mine.
LVL 10

Expert Comment

ID: 35149738
Option 1: You can create the computer account manually (using your domain admin-account). Then any user can join the PC to the domain given he has admin rights on the PC. The downside of this is that I think the user can join at most 10 computers to the domain that way.
Option 2: Grant the necessary rights on the OU to join a PC to the domain. The necessary permissions are the following:
On the computer objects in the OU:
  Reset Password
  Validated write to DNS host name
  Validated write to service principal name
  Write account restriction
And on "This object and all child objects"
  Create / Delete Computer Objects

We use this setup for quite some time now and have no problem whatsoever. The users which have been delegated these permissions can join computers to the domain without any problems.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 35149972
I don't see these permissions when i right click on the computers OU.
LVL 10

Expert Comment

ID: 35150405
If you go to the advanced options => Add, after you add the group you can choose
"apply to" to select "computer objects" or "this object and all child objects".
The mentioned permissions can be found in the object and properties-tabs.

Accepted Solution

colmisdiv earned 0 total points
ID: 35150765
This is what I did. Correct?

1.      Click Start, click Run, type dsa.msc, and then click OK.
2.      In the task pane, expand the domain node.
3.      Locate and right-click the OU that you want to modify, and then click Delegate Control.
4.      In the Delegation of Control Wizard, click Next.
5.      Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
6.      In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
7.      Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
8.      Click Next.
9.      In the Permissions list, click to select the following check boxes:
o      Reset Password
o      Read and write Account Restrictions
o      Validated write to DNS host name
o      Validated write to service principal name
10.      Click Next, and then click Finish
LVL 10

Expert Comment

ID: 35150936
I haven't tried using the Delegation of Control Wizard. Though it looks correct at first sight please check in the advanced permission settings that the permissions actually are set the way I have described. If that's the case it should work.

Author Comment

ID: 35150949
LVL 10

Expert Comment

ID: 35151003
Ok, if MS says so I guess it'll be correct. In the end the delegate control wizard does nothing different than setting the necessary permissions manually.
LVL 10

Expert Comment

ID: 35323336
Sorry, I don't understand why "it is working exactly as requested" is worth only 0 points.
I'd appreciate a more detailed explanation.

Author Closing Comment

ID: 35360789
It is working exactly as requested.

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
A hard and fast method for reducing Active Directory Administrators members.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question