Solved

How to give user Add Computers to Domain rights

Posted on 2013-05-29
5
1,801 Views
Last Modified: 2013-05-30
I am trying to give a user rights to add computers to the domain.  According to documentation, I just need to give this person Create/Delete Computer Objects rights to the OU where computers are created.  This fails with the message Access Denied.

If I add this user to the Account Operators group then they are able to add computers to the domain.  The only problem with this is the Account Operators group has rights to Create/Delete Computer Objects, User Objects, Group Objects and InetOrgPerson Objects.

If I manually give the user these 4 rights they still get the Access Denied message.  Only when I place them in the Account Operators group they are able to add computers to the domain.

What am I overlooking?
0
Comment
Question by:dalva
5 Comments
 
LVL 1

Accepted Solution

by:
David earned 400 total points
ID: 39206361
Keep in mind that when a computer is first joined, it goes into the 'Computers' container before it gets moved to an OU. Did you add those permissions to that container as well?
0
 
LVL 1

Author Comment

by:dalva
ID: 39206372
I'll look into that in the morning.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39206443
You can delegate this right two ways.  By default users can add 10 machines

http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain

One is through group policy and the user rights assignment

The other is the delegation

So the way you did it you would think would work, delegate Peter at the domain level and it should be done.

...but on your computers container you need to go through the steps that John has outlined for delegation

thanks

Mike
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39206522
You don't necessarily need to give the user rights to the 'Computers' container.  Your user can first create the computer object in the specific OU that you allow him to, then he can add the computer to the domain.  It only creates the computer account in the 'Computers' container if that object doesn't already exist elsewhere.
0
 
LVL 1

Author Closing Comment

by:dalva
ID: 39208367
That did the trick.  Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question