Solved

How to add pc to domain without domain admin rights

Posted on 2011-03-16
11
731 Views
Last Modified: 2012-06-27
need suggestions on how to add pc's to a domain without assigning domain admin rights to the user. what account type should they have? Domain controllers are 2008 and domain level is 2003
0
Comment
Question by:colmisdiv
  • 5
  • 5
11 Comments
 
LVL 8

Expert Comment

by:sharkbot221984
ID: 35149383
Don't put the user in your Domain Admin's group.

When you join the PC to the domain it will ask for domain credentials.  Put in your credentials (assuming you are a Domain Admin and authorized to add machines to the domain).  You may need to put in the form of:

domainname\yourusername
password
0
 

Author Comment

by:colmisdiv
ID: 35149496
I want the network technician using their own credentials not mine.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35149738
Option 1: You can create the computer account manually (using your domain admin-account). Then any user can join the PC to the domain given he has admin rights on the PC. The downside of this is that I think the user can join at most 10 computers to the domain that way.
Option 2: Grant the necessary rights on the OU to join a PC to the domain. The necessary permissions are the following:
On the computer objects in the OU:
  Reset Password
  Validated write to DNS host name
  Validated write to service principal name
  Write account restriction
And on "This object and all child objects"
  Create / Delete Computer Objects

We use this setup for quite some time now and have no problem whatsoever. The users which have been delegated these permissions can join computers to the domain without any problems.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:colmisdiv
ID: 35149972
I don't see these permissions when i right click on the computers OU.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35150405
If you go to the advanced options => Add, after you add the group you can choose
"apply to" to select "computer objects" or "this object and all child objects".
The mentioned permissions can be found in the object and properties-tabs.
0
 

Accepted Solution

by:
colmisdiv earned 0 total points
ID: 35150765
This is what I did. Correct?

1.      Click Start, click Run, type dsa.msc, and then click OK.
2.      In the task pane, expand the domain node.
3.      Locate and right-click the OU that you want to modify, and then click Delegate Control.
4.      In the Delegation of Control Wizard, click Next.
5.      Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
6.      In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
7.      Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
8.      Click Next.
9.      In the Permissions list, click to select the following check boxes:
o      Reset Password
o      Read and write Account Restrictions
o      Validated write to DNS host name
o      Validated write to service principal name
10.      Click Next, and then click Finish
0
 
LVL 10

Expert Comment

by:abbright
ID: 35150936
I haven't tried using the Delegation of Control Wizard. Though it looks correct at first sight please check in the advanced permission settings that the permissions actually are set the way I have described. If that's the case it should work.
0
 

Author Comment

by:colmisdiv
ID: 35150949
0
 
LVL 10

Expert Comment

by:abbright
ID: 35151003
Ok, if MS says so I guess it'll be correct. In the end the delegate control wizard does nothing different than setting the necessary permissions manually.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35323336
Sorry, I don't understand why "it is working exactly as requested" is worth only 0 points.
I'd appreciate a more detailed explanation.
0
 

Author Closing Comment

by:colmisdiv
ID: 35360789
It is working exactly as requested.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question