Solved

How to give user Add Computers to Domain rights

Posted on 2013-05-29
5
1,849 Views
Last Modified: 2013-05-30
I am trying to give a user rights to add computers to the domain.  According to documentation, I just need to give this person Create/Delete Computer Objects rights to the OU where computers are created.  This fails with the message Access Denied.

If I add this user to the Account Operators group then they are able to add computers to the domain.  The only problem with this is the Account Operators group has rights to Create/Delete Computer Objects, User Objects, Group Objects and InetOrgPerson Objects.

If I manually give the user these 4 rights they still get the Access Denied message.  Only when I place them in the Account Operators group they are able to add computers to the domain.

What am I overlooking?
0
Comment
Question by:dalva
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 1

Accepted Solution

by:
David earned 400 total points
ID: 39206361
Keep in mind that when a computer is first joined, it goes into the 'Computers' container before it gets moved to an OU. Did you add those permissions to that container as well?
0
 
LVL 1

Author Comment

by:dalva
ID: 39206372
I'll look into that in the morning.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39206443
You can delegate this right two ways.  By default users can add 10 machines

http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain

One is through group policy and the user rights assignment

The other is the delegation

So the way you did it you would think would work, delegate Peter at the domain level and it should be done.

...but on your computers container you need to go through the steps that John has outlined for delegation

thanks

Mike
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39206522
You don't necessarily need to give the user rights to the 'Computers' container.  Your user can first create the computer object in the specific OU that you allow him to, then he can add the computer to the domain.  It only creates the computer account in the 'Computers' container if that object doesn't already exist elsewhere.
0
 
LVL 1

Author Closing Comment

by:dalva
ID: 39208367
That did the trick.  Thanks
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question