?
Solved

How to give user Add Computers to Domain rights

Posted on 2013-05-29
5
Medium Priority
?
1,879 Views
Last Modified: 2013-05-30
I am trying to give a user rights to add computers to the domain.  According to documentation, I just need to give this person Create/Delete Computer Objects rights to the OU where computers are created.  This fails with the message Access Denied.

If I add this user to the Account Operators group then they are able to add computers to the domain.  The only problem with this is the Account Operators group has rights to Create/Delete Computer Objects, User Objects, Group Objects and InetOrgPerson Objects.

If I manually give the user these 4 rights they still get the Access Denied message.  Only when I place them in the Account Operators group they are able to add computers to the domain.

What am I overlooking?
0
Comment
Question by:dalva
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 1

Accepted Solution

by:
David earned 1600 total points
ID: 39206361
Keep in mind that when a computer is first joined, it goes into the 'Computers' container before it gets moved to an OU. Did you add those permissions to that container as well?
0
 
LVL 1

Author Comment

by:dalva
ID: 39206372
I'll look into that in the morning.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39206443
You can delegate this right two ways.  By default users can add 10 machines

http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain

One is through group policy and the user rights assignment

The other is the delegation

So the way you did it you would think would work, delegate Peter at the domain level and it should be done.

...but on your computers container you need to go through the steps that John has outlined for delegation

thanks

Mike
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39206522
You don't necessarily need to give the user rights to the 'Computers' container.  Your user can first create the computer object in the specific OU that you allow him to, then he can add the computer to the domain.  It only creates the computer account in the 'Computers' container if that object doesn't already exist elsewhere.
0
 
LVL 1

Author Closing Comment

by:dalva
ID: 39208367
That did the trick.  Thanks
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Let's recap what we learned from yesterday's Skyport Systems webinar.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question