Who can add computer to a domain (windows 2003)???

Hi,
I'm reading this technet and it makes no senses, it says any users can add computers to a domain??
http://technet.microsoft.com/en-us/library/cc780195%28WS.10%29.aspx

And this one too?
http://technet.microsoft.com/en-us/library/cc781364%28WS.10%29.aspx
"By default, Authenticated Users in a domain are assigned the Add workstations to a domain user right and can create up to 10 computer accounts in the domain. For more information, see Related Topics."

I tried it with a simple domain user and it doesn't work, and I DON'T SEE why Microsoft would permit any user to add computers on the domain. That's a security hole and it's an open door to screw licenses accounting. The IT dept need to buy licenses for connected computers on a domain, if users can add thousands of computer how can we keep the counts, and keep AD structure clean? And who would want a user to bring his home computer and put it on the corporate network????

tx!
SigSupportAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph MoodyBlogger and wearer of all hats.Commented:
It is true. Most IT departments disable this feature and only allow managed machines to be created.
0
Mike KlineCommented:
by default it is 10 like the TechNet  article states.  That can be changed if you don't want that to be the case  

http://blogs.technet.com/b/jhoward/archive/2005/04/18/403817.aspx?wa=wsignin1.0

Thanks

Mike
0
simpsolCommented:
What you are reading in the technet articles is correct. By Default Any authenticated user is allowed to add upto 10 computers to the domain (might have changed in 2008). But there is group policy to disable this and only allow admins or groups you desingate to add the computers.

Whe I saw this the first time I had the same reaction as you, but I can guess the reason Microsoft might be doing that is lot of small businesses do not have an IT Department and therefore they set the default to authenticated users are allowed to add computers.

Below is the link to an article which show you how to only allow Admins to add computers to the domain

http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/How%20to%20allow%20specific%20users%20to%20add%20workstations%20to%20the%20domain.aspx
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

SigSupportAuthor Commented:
Simpsol,
I red your link and since on my domain normal users cannot add computers on the domain, I am trying why?
The link tells of 2 things the GPO and the Computer folder in AD.
On my Default Dmain Controllers Policy GPO I can see that MYDOMAIN\Domain Admins, Authenticated Users are in there, so sounds like users would be able to add 10 stations? no?
But on the Computer folder in AD, the only rights Authenticated Users have are List Contents, Read All Properties, Read Permissions.
So by what I understand, is users don't have create object on the Computer folder, because of the GPO they should be able to create computers up to 10? no?
Then why cannot they add any station (which I don't mind just looking to understand).
tx!
0
Joseph MoodyBlogger and wearer of all hats.Commented:
Someone probably altered the permissions on your Computers container to prevent users from being able to add computer accounts.
0
Lee_YCPCommented:
That functionality was included so machines could be pre-created in AD, permissions on the appropriate OU where it was pre-created would allow people with those permissions to add it to the domain while sitting in front of the client.  So, while it is possible for anyone to add machines, they need permissions to either create objects in AD or update a specific container.
0
SigSupportAuthor Commented:
Lee YCP,
That sounds interesting but can you clarify. What I understood is that if an admin adds a computer, say computer1, under COMPUTERS in AD. Then the user, simple domain user, sitting in front can add his computer to the domain???

And you say that : while it is possible for anyone to add machines, they need permissions to either create objects in AD or update a specific container
What does that means? How can add machines if they cannot add machines?
0
Lee_YCPCommented:
Ok.
Think of it like this, when you manually create a machine object in AD using the AC&U mmc, it simply creates a "placeholder", because it has no SID information definitively identifying that machine.  You can put that "placeholder" object in whatever container you wish(figuratively).  Then, when you visit the machine and step through the process on the client to add it to the domain, it finds the name and uses the domain credentials that you supplied to update the "placeholder" with the SID information for that machine.  So, you could create an object in AD for a new machine, place that object in an OU that domain\JOE_user has been delegated to manage, as long as Joe_User is an administrator on that machine, he/she can step through the paces and add that machine to Active Directory. It will be located in the OU that you, the administrator placed it in.

So, in most cases when domain\users can not add a machine to the domain, it is because they do not have permissions in Active Directory to insert the object.  Obviously local admin credentials are needed on the client to make the system changes, but domain\Joe_User could be in the administrators group.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee_YCPCommented:
clarification on the last sentence:
"but domain\Joe_User could be in the administrators group"
should have been:
"but domain\Joe_User could be in the local administrators group."
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.