Solved

How to give user Add Computers to Domain rights

Posted on 2013-05-29
5
1,737 Views
Last Modified: 2013-05-30
I am trying to give a user rights to add computers to the domain.  According to documentation, I just need to give this person Create/Delete Computer Objects rights to the OU where computers are created.  This fails with the message Access Denied.

If I add this user to the Account Operators group then they are able to add computers to the domain.  The only problem with this is the Account Operators group has rights to Create/Delete Computer Objects, User Objects, Group Objects and InetOrgPerson Objects.

If I manually give the user these 4 rights they still get the Access Denied message.  Only when I place them in the Account Operators group they are able to add computers to the domain.

What am I overlooking?
0
Comment
Question by:dalva
5 Comments
 
LVL 1

Accepted Solution

by:
David earned 400 total points
ID: 39206361
Keep in mind that when a computer is first joined, it goes into the 'Computers' container before it gets moved to an OU. Did you add those permissions to that container as well?
0
 
LVL 1

Author Comment

by:dalva
ID: 39206372
I'll look into that in the morning.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39206443
You can delegate this right two ways.  By default users can add 10 machines

http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain

One is through group policy and the user rights assignment

The other is the delegation

So the way you did it you would think would work, delegate Peter at the domain level and it should be done.

...but on your computers container you need to go through the steps that John has outlined for delegation

thanks

Mike
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39206522
You don't necessarily need to give the user rights to the 'Computers' container.  Your user can first create the computer object in the specific OU that you allow him to, then he can add the computer to the domain.  It only creates the computer account in the 'Computers' container if that object doesn't already exist elsewhere.
0
 
LVL 1

Author Closing Comment

by:dalva
ID: 39208367
That did the trick.  Thanks
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now