Desktop Support Team

Posted on 2011-04-26
Last Modified: 2012-05-11
I would like to allow our desktop support team that pushes images out and adds workstations to the domain to be able to add more than the default 10.  I located this article that would allow the default user to add more than 10 ( ) but I don't want to do this at the domain level for the default user.

I would like to create a default group that can do this, and I do not want to add this group to the Domain Admins or Administrators group for the domain.  

Question by:rotarypwr
    LVL 12

    Expert Comment

    You can put the users in an OU and create a GPO that allows more than 10; and assign it to that OU
    LVL 8

    Expert Comment

    Yes you can allow using group policy. Add Group who can join the machine to domain.

    And regarding bypassing default limit - You have to apply your recommended solution-
    LVL 7

    Accepted Solution

    I am not sure how you are cloning your machines but, If you want these Desktop Support Users to be only able to join machines to domain and that these machine accounts be located in specific OU then, you can delegate the rights of the OU to those users and customize it, so that they can only join machines to domain and not create the user accounts.

    For this just create a new group, and then right click on the OU to which the computer account should be added, then click on Delegation, then just follow the steps to delegate the right you want to the group.

    But by doing so the user will have to manually create the computer account in the OU then join the computer to the domain. Reason being when a computer is joined to a domain, it's account gets created by default in the Computers container.
    LVL 37

    Assisted Solution

    by:Adam Brown
    The easiest way to allow users to add more than 10 computers to domain is to assign them the Add workstations to Domain User Right. If you have a single group that all the desktop team are members of, create a GPO and link it to the Domain. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Add Workstationsto Domain can be set up with the user groups that should be allowed to break the limit of 10 workstations. Doing this completely removes the limit for users in those groups.
    LVL 37

    Assisted Solution

    by:Adam Brown
    Pff...Never mind. I'm wrong :D You can delegate the right using the instructions above or you can modify the ACLs on the OUs/Domain to add the "Create Computer Objects" permission. You can do this in ADUC by going to View and making sure Advanced Features is checked. From there you can Right Click on any OU in the domain, click on Properties, then go to the Security tab. Click on Advanced, then click Add and enter the group name for your desktop team. Once that's done, you'll be prompted with a list of specific permissions that you can add. Put a check next to Create Computer Objects under Allow and that group will no longer have the 10 computer limit.

    Author Comment

    I was able to accomplish this by:
    A. Delegation
    B. Giving the Sec. Group the rights to create objects and add computers.

    Thanks All

    Featured Post

    Too many email signature changes to deal with?

    Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

    Join & Write a Comment

    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now