nscit
asked on
give support tech permissions to join a pc to domain, etc
We are hiring a new support tech and I want to off load some of the duties of setting up the PC and then joining to the domain or allowing him to give the person who's pc it will be power user or admin permissions to the box both of which will pop up the box wanting someone with domain permissions to allow this. Is there a way, without making him a domain admin, to allow him to be able to join a pc to the domain after he is done installing windows 7 or to elevate the PC owners user account to a power user or local admin?
I'm afraid to make him a domain admin so soon because this opens up access to AD and everything.
Thanks,
Shawn
I'm afraid to make him a domain admin so soon because this opens up access to AD and everything.
Thanks,
Shawn
ASKER
Thanks Trefenwyd,
So pointing to my first example then. I want to allow him to join a PC to the domain after he is done installing the OS. On the PC he would go to Computer Name Tab > Change > hit the Domain Tab and put in the Domain Name > it then would hit the DC and come back to the PC and want to authenticate with Domain Admin credentials which I don't want to give him. I on the AD side I would Delegate Control to the OU where we keep the Computer Objects but the host name of the PC would not be in the OU yet until it's joined so I'm still confused. The PC would not be in any OU until it is joined first by a domain admin I thought.
Please help me understand a little more.
Shawn
So pointing to my first example then. I want to allow him to join a PC to the domain after he is done installing the OS. On the PC he would go to Computer Name Tab > Change > hit the Domain Tab and put in the Domain Name > it then would hit the DC and come back to the PC and want to authenticate with Domain Admin credentials which I don't want to give him. I on the AD side I would Delegate Control to the OU where we keep the Computer Objects but the host name of the PC would not be in the OU yet until it's joined so I'm still confused. The PC would not be in any OU until it is joined first by a domain admin I thought.
Please help me understand a little more.
Shawn
You are right. In order to add to the domain the user who is authenticating during the "Join to domain" process will need the appropriate permissions.
Depending on how you want to give out permissions, you could do one of the following:
delegate control to the entire domain for this user to enable him to add machines to the domain
AND
delegate control to specific OU for other tasks
OR
delegate control to the entire domain for this user to do everything you want to allow
The second option keeps it more simple, but it also gives him permissions on the entire domain where you may want to limit it to specific OUs.
Depending on how you want to give out permissions, you could do one of the following:
delegate control to the entire domain for this user to enable him to add machines to the domain
AND
delegate control to specific OU for other tasks
OR
delegate control to the entire domain for this user to do everything you want to allow
The second option keeps it more simple, but it also gives him permissions on the entire domain where you may want to limit it to specific OUs.
ASKER
Thanks again.
I guess my question then when selecting either of your options above...I didn't see under Delegating Control to an OU for the support tech one that said something like "allow user to join pcs to the domain". Could you point me to what I might be looking for or the steps to take?
Shanw
I guess my question then when selecting either of your options above...I didn't see under Delegating Control to an OU for the support tech one that said something like "allow user to join pcs to the domain". Could you point me to what I might be looking for or the steps to take?
Shanw
In the Delegation of Control Wizard (right click on your domain and click Delegate Control) you will click Add and add the user's account, then click Next, then specify what permissions you want to grant. See image:
I should add that this permission is only available at the domain level - you will not see it if you enter the Delegation of Control Wizard on a specific OU.
ASKER
Awesome....so is this correct....Whatever OU the support tech user object falls in that I want to allow to join PCs to the domain I run the "Delegation of Control wizard" on that OU? It still seems like I would run this on the OU where the Computer Objects show up after they are joined to the domain but again they computer objects don't show up in the domain until someone has joined them so it seems backwards. Thanks.
ASKER
Gotta run for today but I will get back to you...thanks you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you.
ASKER
Trefenwyd,
I'm sorry to bother you again but I just noticed that I can join a PC to our domain with any user regular user account that I create. Why is this happening by default and where can I adjust this so that only domain admins or those who I delegate at the top OU (like we talked about) can join pcs to a domain. This is really troubling.
Thank you.
Shawn
I'm sorry to bother you again but I just noticed that I can join a PC to our domain with any user regular user account that I create. Why is this happening by default and where can I adjust this so that only domain admins or those who I delegate at the top OU (like we talked about) can join pcs to a domain. This is really troubling.
Thank you.
Shawn
You need to check the permissions (Properties | Security) at the domain level.
ASKER
I am sorry to keep bugging you.
I did delegate the tech support user I wanted to at the DOMAIN level and when I check Security Properties of his user account, which is in the list, it has "special" checked so when I go into advanced I see that the permissions say "create cmputer object" which I'm guessing you would need when you join a PC to the domain. So that is all good.
However, as I was saying I setup a couple of regular domain user accounts with only domain user permissions. Under the DOMAIN level the only single user name is the one for the tech support. So I look under "Authenticated Users" and it only has checked:
update pw not required bit
read domain pw and lkout pol
read other domain parameters
and Special and all the special permission are read
I look under "Everyone" and it only has checked:
read domain pw and lockout
read other domain parameters
So I am having a hard time finding how just "Authenticated Users" can accomplish adding a PC with their account credentials to the domain. The permissions I list above don't seem enough to be able to do so.
Any ideas.
Thank you very much letting me bother you again.
shawn
I did delegate the tech support user I wanted to at the DOMAIN level and when I check Security Properties of his user account, which is in the list, it has "special" checked so when I go into advanced I see that the permissions say "create cmputer object" which I'm guessing you would need when you join a PC to the domain. So that is all good.
However, as I was saying I setup a couple of regular domain user accounts with only domain user permissions. Under the DOMAIN level the only single user name is the one for the tech support. So I look under "Authenticated Users" and it only has checked:
update pw not required bit
read domain pw and lkout pol
read other domain parameters
and Special and all the special permission are read
I look under "Everyone" and it only has checked:
read domain pw and lockout
read other domain parameters
So I am having a hard time finding how just "Authenticated Users" can accomplish adding a PC with their account credentials to the domain. The permissions I list above don't seem enough to be able to do so.
Any ideas.
Thank you very much letting me bother you again.
shawn
By default users can add up to 10 machines to the domain. You can change this option.
http://support.microsoft.com/kb/243327/en-us
I have never done it this way.
http://support.microsoft.com/kb/243327/en-us
I have never done it this way.
ASKER
Let me ask you this. I guess this appeared to be a major red flag to me. Why is this allowed? Why can any domain user add 10 machines to a DOMAIN? Is this not a huge security flaw that should be stopped. This is what I see could easily happen....a user finds this out and could bring in a PC from home and join it to the domain with their standard domain credentials OR someone finds out a users credentials and can join any device to the domain.
Is there a reason you WOULD NOT disable this?
Thanks for your in sight.
Shawn
Is there a reason you WOULD NOT disable this?
Thanks for your in sight.
Shawn
This is built-in by Microsoft as you can read in the URL I provided in my last comment.
You can always change these permissions.
You can always change these permissions.
ASKER
Yes...i read the MS link. I was just curious what your thoughts were and maybe your reasons if you did not already disable this.
thanks again.
thanks again.
The best way to do this is by OU. You can give the tech specific permissions for a specific OU if you do not want him/her to have these permissions for the entire site.
http://technet.microsoft.com/en-us/library/cc775585(WS.10).aspx