grant user permission to join his computer to the domain

hi experts,

 how can I grant a user permission to have his laptop join the domain himself and not grant him any admin rights?
frankbustosAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jburgaardCommented:
AFAIK a normal Domain User can add max 10 PC's to domain
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
north_Commented:
First, create a group for the psuedo-admins in the domain. In AD, delegate control to the OU's they may need to manage (create/delete accounts, or maybe just reset passwords, or nothing at all).
Then use Group Policy to add your group to the local administrators group on the workstations and servers using Computer\Windows Settings\Security Settings\Restricted Groups. Do not deploy this policy to the Domain Controllers OU or the OUs containing your servers
0
Will SzymkowskiSenior Solution ArchitectCommented:
Jburgaard is correct which is enabled by deafult. It is highly recommended that you either disable this or lower the value. You will need to modify the Default Domain policy setting which you can allow or deny a user or groups from adding machines to a domain.

Modify the following area in GPO
Computer Configuration | Windows settings | Security Settings | User Rights Assignment | Add Workstations to the Domain

Also another thing you can do it "pre-create" the computer object for this user and then have the user add the machine to the domain.

Will.
0
jburgaardCommented:
When "pre-createing" the computer object you can put it in a OU of your choice beforehand and so impose GPO-settings.
0
frankbustosAuthor Commented:
thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.