We help IT Professionals succeed at work.

give support tech permissions to join a pc to domain, etc

We are hiring a new support tech and I want to off load some of the duties of setting up the PC and then joining to the domain or allowing him to give the person who's pc it will be power user or admin permissions to the box both of which will pop up the box wanting someone with domain permissions to allow this.  Is there a way, without making him a domain admin, to allow him to be able to join a pc to the domain after he is done installing windows 7 or to elevate the PC owners user account to a power user or local admin?
I'm afraid to make him a domain admin so soon because this opens up access to AD and everything.
Thanks,
Shawn
Comment
Watch Question

You can delegate administrative control to any level of a domain tree by creating organizational units within a domain and delegating administrative control for specific organizational units to particular users or groups.

The best way to do this is by OU. You can give the tech specific permissions for a specific OU if you do not want him/her to have these permissions for the entire site.
http://technet.microsoft.com/en-us/library/cc775585(WS.10).aspx

Author

Commented:
Thanks Trefenwyd,

So pointing to my first example then.  I want to allow him to join a PC to the domain after he is done installing the OS.  On the PC he would go to Computer Name Tab > Change > hit the Domain Tab and put in the Domain Name > it then would hit the DC and come back to the PC and want to authenticate with Domain Admin credentials which I don't want to give him.  I on the AD side I would Delegate Control to the OU where we keep the Computer Objects but the host name of the PC would not be in the OU yet until it's joined so I'm still confused.  The PC would not be in any OU until it is joined first by a domain admin I thought.

Please help me understand a little more.
Shawn
You are right. In order to add to the domain the user who is authenticating during the "Join to domain" process will need the appropriate permissions.

Depending on how you want to give out permissions, you could do one of the following:
delegate control to the entire domain for this user to enable him to add machines to the domain
AND
delegate control to specific OU for other tasks

OR

delegate control to the entire domain for this user to do everything you want to allow

The second option keeps it more simple, but it also gives him permissions on the entire domain where you may want to limit it to specific OUs.

Author

Commented:
Thanks again.
I guess my question then when selecting either of your options above...I didn't see under Delegating Control to an OU for the support tech one that said something like "allow user to join pcs to the domain".  Could you point me to what I might be looking for or the steps to take?
Shanw
In the Delegation of Control Wizard (right click on your domain and click Delegate Control) you will click Add and add the user's account, then click Next, then specify what permissions you want to grant. See image:
 delegation of control wizard
I should add that this permission is only available at the domain level - you will not see it if you enter the Delegation of Control Wizard on a specific OU.

Author

Commented:
Awesome....so is this correct....Whatever OU the support tech user object falls in that I want to allow to join PCs to the domain I run the "Delegation of Control wizard" on that OU?  It still seems like I would run this on the OU where the Computer Objects show up after they are joined to the domain but again they computer objects don't show up in the domain until someone has joined them so it seems backwards.  Thanks.

Author

Commented:
Gotta run for today but I will get back to you...thanks you.
You run the Delegation of Control Wizard to the OU (or domain) where you want the user to HAVE control. When you right click you are specifying WHERE. When you go through the Wizard you are specifying WHO.

By right clicking on the OU (or domain) you are saying "I want to use the Delegation of Control Wizard to give permissions to this OU (or domain)" and you will enter the user when you go through the Wizard.

When computers are joined to the domain they are joined to "Computers". If you put the computers into a different OU, the user will need the appropriate permissions, I believe on both OUs. These permissions are not just a simple checkbox but you create them by selecting "Create a custom task to delegate" during the Wizard on that OU.

Author

Commented:
Thank you.

Author

Commented:
Trefenwyd,
I'm sorry to bother you again but I just noticed that I can join a PC to our domain with any user regular user account that I create.  Why is this happening by default and where can I adjust this so that only domain admins or those who I delegate at the top OU (like we talked about) can join pcs to a domain.  This is really troubling.
Thank you.
Shawn
You need to check the permissions (Properties | Security) at the domain level.

Author

Commented:
I am sorry to keep bugging you.
I did delegate the tech support user I wanted to at the DOMAIN level and when I check Security Properties of his user account, which is in the list, it has "special" checked so when I go into advanced I see that the permissions say "create cmputer object" which I'm guessing you would need when you join a PC to the domain.  So that is all good.
However, as I was saying I setup a couple of regular domain user accounts with only domain user permissions.  Under the DOMAIN level the only single user name is the one for the tech support.  So I look under "Authenticated Users" and it only has checked:
update pw not required bit
read domain pw and lkout pol
read other domain parameters
and Special and all the special permission are read

I look under "Everyone" and it only has checked:
read domain pw and lockout
read other domain parameters

So I am having a hard time finding how just "Authenticated Users" can accomplish adding a PC with their account credentials to the domain.  The permissions I list above don't seem enough to be able to do so.
Any ideas.
Thank you very much letting me bother you again.
shawn


By default users can add up to 10 machines to the domain. You can change this option.

http://support.microsoft.com/kb/243327/en-us

I have never done it this way.

Author

Commented:
Let me ask you this.  I guess this appeared to be a major red flag to me.  Why is this allowed?  Why can any domain user add 10 machines to a DOMAIN?  Is this not a huge security flaw that should be stopped.  This is what I see could easily happen....a user finds this out and could bring in a PC from home and join it to the domain with their standard domain credentials OR someone finds out a users credentials and can join any device to the domain.  
Is there a reason you WOULD NOT disable this?
Thanks for your in sight.
Shawn
This is built-in by Microsoft as you can read in the URL I provided in my last comment.

You can always change these permissions.

Author

Commented:
Yes...i read the MS link.  I was just curious what your thoughts were and maybe your reasons if you did not already disable this.
thanks again.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.