colmisdiv
asked on
How to add pc to domain without domain admin rights
need suggestions on how to add pc's to a domain without assigning domain admin rights to the user. what account type should they have? Domain controllers are 2008 and domain level is 2003
ASKER
I want the network technician using their own credentials not mine.
Option 1: You can create the computer account manually (using your domain admin-account). Then any user can join the PC to the domain given he has admin rights on the PC. The downside of this is that I think the user can join at most 10 computers to the domain that way.
Option 2: Grant the necessary rights on the OU to join a PC to the domain. The necessary permissions are the following:
On the computer objects in the OU:
Reset Password
Validated write to DNS host name
Validated write to service principal name
Write account restriction
And on "This object and all child objects"
Create / Delete Computer Objects
We use this setup for quite some time now and have no problem whatsoever. The users which have been delegated these permissions can join computers to the domain without any problems.
Option 2: Grant the necessary rights on the OU to join a PC to the domain. The necessary permissions are the following:
On the computer objects in the OU:
Reset Password
Validated write to DNS host name
Validated write to service principal name
Write account restriction
And on "This object and all child objects"
Create / Delete Computer Objects
We use this setup for quite some time now and have no problem whatsoever. The users which have been delegated these permissions can join computers to the domain without any problems.
ASKER
I don't see these permissions when i right click on the computers OU.
If you go to the advanced options => Add, after you add the group you can choose
"apply to" to select "computer objects" or "this object and all child objects".
The mentioned permissions can be found in the object and properties-tabs.
"apply to" to select "computer objects" or "this object and all child objects".
The mentioned permissions can be found in the object and properties-tabs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I haven't tried using the Delegation of Control Wizard. Though it looks correct at first sight please check in the advanced permission settings that the permissions actually are set the way I have described. If that's the case it should work.
ASKER
Ok, if MS says so I guess it'll be correct. In the end the delegate control wizard does nothing different than setting the necessary permissions manually.
Sorry, I don't understand why "it is working exactly as requested" is worth only 0 points.
I'd appreciate a more detailed explanation.
I'd appreciate a more detailed explanation.
ASKER
It is working exactly as requested.
When you join the PC to the domain it will ask for domain credentials. Put in your credentials (assuming you are a Domain Admin and authorized to add machines to the domain). You may need to put in the form of:
domainname\yourusername
password