Desktop Support Team

Posted on 2011-04-26
Medium Priority
Last Modified: 2012-05-11
I would like to allow our desktop support team that pushes images out and adds workstations to the domain to be able to add more than the default 10.  I located this article that would allow the default user to add more than 10 ( http://support.microsoft.com/kb/243327/en-us ) but I don't want to do this at the domain level for the default user.

I would like to create a default group that can do this, and I do not want to add this group to the Domain Admins or Administrators group for the domain.  

Question by:rotarypwr
LVL 12

Expert Comment

ID: 35468889
You can put the users in an OU and create a GPO that allows more than 10; and assign it to that OU

Expert Comment

ID: 35468948
Yes you can allow using group policy. Add Group who can join the machine to domain.

And regarding bypassing default limit - You have to apply your recommended solution-http://support.microsoft.com/kb/243327/en-us

Accepted Solution

ashutoshsapre earned 800 total points
ID: 35469232
I am not sure how you are cloning your machines but, If you want these Desktop Support Users to be only able to join machines to domain and that these machine accounts be located in specific OU then, you can delegate the rights of the OU to those users and customize it, so that they can only join machines to domain and not create the user accounts.

For this just create a new group, and then right click on the OU to which the computer account should be added, then click on Delegation, then just follow the steps to delegate the right you want to the group.

But by doing so the user will have to manually create the computer account in the OU then join the computer to the domain. Reason being when a computer is joined to a domain, it's account gets created by default in the Computers container.

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 1200 total points
ID: 35469728
The easiest way to allow users to add more than 10 computers to domain is to assign them the Add workstations to Domain User Right. If you have a single group that all the desktop team are members of, create a GPO and link it to the Domain. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Add Workstationsto Domain can be set up with the user groups that should be allowed to break the limit of 10 workstations. Doing this completely removes the limit for users in those groups.
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 1200 total points
ID: 35469893
Pff...Never mind. I'm wrong :D You can delegate the right using the instructions above or you can modify the ACLs on the OUs/Domain to add the "Create Computer Objects" permission. You can do this in ADUC by going to View and making sure Advanced Features is checked. From there you can Right Click on any OU in the domain, click on Properties, then go to the Security tab. Click on Advanced, then click Add and enter the group name for your desktop team. Once that's done, you'll be prompted with a list of specific permissions that you can add. Put a check next to Create Computer Objects under Allow and that group will no longer have the 10 computer limit.

Author Comment

ID: 35471505
I was able to accomplish this by:
A. Delegation
B. Giving the Sec. Group the rights to create objects and add computers.

Thanks All

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question