Solved

How to give user Add Computers to Domain rights

Posted on 2013-05-29
5
1,762 Views
Last Modified: 2013-05-30
I am trying to give a user rights to add computers to the domain.  According to documentation, I just need to give this person Create/Delete Computer Objects rights to the OU where computers are created.  This fails with the message Access Denied.

If I add this user to the Account Operators group then they are able to add computers to the domain.  The only problem with this is the Account Operators group has rights to Create/Delete Computer Objects, User Objects, Group Objects and InetOrgPerson Objects.

If I manually give the user these 4 rights they still get the Access Denied message.  Only when I place them in the Account Operators group they are able to add computers to the domain.

What am I overlooking?
0
Comment
Question by:dalva
5 Comments
 
LVL 1

Accepted Solution

by:
David earned 400 total points
ID: 39206361
Keep in mind that when a computer is first joined, it goes into the 'Computers' container before it gets moved to an OU. Did you add those permissions to that container as well?
0
 
LVL 1

Author Comment

by:dalva
ID: 39206372
I'll look into that in the morning.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39206443
You can delegate this right two ways.  By default users can add 10 machines

http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain

One is through group policy and the user rights assignment

The other is the delegation

So the way you did it you would think would work, delegate Peter at the domain level and it should be done.

...but on your computers container you need to go through the steps that John has outlined for delegation

thanks

Mike
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39206522
You don't necessarily need to give the user rights to the 'Computers' container.  Your user can first create the computer object in the specific OU that you allow him to, then he can add the computer to the domain.  It only creates the computer account in the 'Computers' container if that object doesn't already exist elsewhere.
0
 
LVL 1

Author Closing Comment

by:dalva
ID: 39208367
That did the trick.  Thanks
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question