Windows Domain Admin Account Question

Hello Experts,

Can someone please let me know if its possible to create Domain Admin account that can add PC's etc to a domain, but doesn't have the rights to make admin changes to to PC itself that has been added to the domain?

What I'm trying to say is that I have added a PC to a domain with the Domain Admin account, but I don't want the Domain Admin account to make changes to the system wide properties on the PC.

Cheers

Carlton
cpatte7372Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott CSenior EngineerCommented:
What you are looking for is this.

https://support.microsoft.com/en-us/kb/125782

You want to set up a "Creating Workstation only Administrator ".\

https://technet.microsoft.com/en-us/library/Cc780195(v=WS.10).aspx
Lee W, MVPTechnology and Business Process AdvisorCommented:
create Domain Admin account that can add PC's etc to a domain, but doesn't have the rights to make admin changes to to PC itself that has been added to the domain?

As I read this, you want a domain admin account that has full domain admin rights to the network but to a particular PC, the account cannot perform administrative functions?

Simple, add the computer to the domain and remove the "Domain Admins" from the local "administrators" group on the PC.

Now, I say simple, but I'll add, VERY unwise.  Domain admins need access to the computer for administrative purposes. If you don't trust your admins, then they shouldn't be your admins.

If I'm misunderstanding, let me know - probably best to describe the scenario for which you need this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lruiz52Commented:
You could just create an Domain User account and delegate the right to Join Computers to the Domain.

https://robiulislam.wordpress.com/2012/02/07/delegate-non-admin-account-to-add-workstations-to-domain/
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Scott CSenior EngineerCommented:
@Iruiz52....which is what I suggested.
lruiz52Commented:
@ScottCha...... Not really, but OK.

two different ways of doing it.
cpatte7372Author Commented:
Experts,

Sorry, I haven't responded, been really busy.

Going to try your suggestions now...

Will keep you posted.
cpatte7372Author Commented:
Spot on mate

Cheers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.