How to add pc to domain without domain admin rights

Posted on 2011-03-16
Last Modified: 2012-06-27
need suggestions on how to add pc's to a domain without assigning domain admin rights to the user. what account type should they have? Domain controllers are 2008 and domain level is 2003
Question by:colmisdiv
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5

Expert Comment

ID: 35149383
Don't put the user in your Domain Admin's group.

When you join the PC to the domain it will ask for domain credentials.  Put in your credentials (assuming you are a Domain Admin and authorized to add machines to the domain).  You may need to put in the form of:


Author Comment

ID: 35149496
I want the network technician using their own credentials not mine.
LVL 10

Expert Comment

ID: 35149738
Option 1: You can create the computer account manually (using your domain admin-account). Then any user can join the PC to the domain given he has admin rights on the PC. The downside of this is that I think the user can join at most 10 computers to the domain that way.
Option 2: Grant the necessary rights on the OU to join a PC to the domain. The necessary permissions are the following:
On the computer objects in the OU:
  Reset Password
  Validated write to DNS host name
  Validated write to service principal name
  Write account restriction
And on "This object and all child objects"
  Create / Delete Computer Objects

We use this setup for quite some time now and have no problem whatsoever. The users which have been delegated these permissions can join computers to the domain without any problems.
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.


Author Comment

ID: 35149972
I don't see these permissions when i right click on the computers OU.
LVL 10

Expert Comment

ID: 35150405
If you go to the advanced options => Add, after you add the group you can choose
"apply to" to select "computer objects" or "this object and all child objects".
The mentioned permissions can be found in the object and properties-tabs.

Accepted Solution

colmisdiv earned 0 total points
ID: 35150765
This is what I did. Correct?

1.      Click Start, click Run, type dsa.msc, and then click OK.
2.      In the task pane, expand the domain node.
3.      Locate and right-click the OU that you want to modify, and then click Delegate Control.
4.      In the Delegation of Control Wizard, click Next.
5.      Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
6.      In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
7.      Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
8.      Click Next.
9.      In the Permissions list, click to select the following check boxes:
o      Reset Password
o      Read and write Account Restrictions
o      Validated write to DNS host name
o      Validated write to service principal name
10.      Click Next, and then click Finish
LVL 10

Expert Comment

ID: 35150936
I haven't tried using the Delegation of Control Wizard. Though it looks correct at first sight please check in the advanced permission settings that the permissions actually are set the way I have described. If that's the case it should work.

Author Comment

ID: 35150949
LVL 10

Expert Comment

ID: 35151003
Ok, if MS says so I guess it'll be correct. In the end the delegate control wizard does nothing different than setting the necessary permissions manually.
LVL 10

Expert Comment

ID: 35323336
Sorry, I don't understand why "it is working exactly as requested" is worth only 0 points.
I'd appreciate a more detailed explanation.

Author Closing Comment

ID: 35360789
It is working exactly as requested.

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question