Add workstation to Domain

George Spiro · Jul 28, 2006

Hi,

I am looking first of all to block all domain users to add machines to the
domain. I do not want to allow anyone besides Domain Admins and one other
account to add machines to the domain.

So the other is where do I need to configure to allow this user to add
machines to the domain. This user will be like a service account i do not
want to give him login privileges. Will be used with SMS and BDD.

I am slightly confused regarding local security policy, domain security
policy, domain controler security policy.

Thanks for your help,

George

Andrei Ungureanu [MVP] · Jul 28, 2006

you'll need to modify Default Domain Controller Policy.
http://technet2.microsoft.com/Windo...d95d-4176-a1ca-bc629f1ca6981033.mspx?mfr=true

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

Bruce Sanderson · Jul 29, 2006

See http://support.microsoft.com/default.aspx?scid=kb;en-us;243327

A user needs the following permissions on pre created computer accounts to
be able to join a computer to the domain (after they have joined 10
computers - unless the number is changed per the above):

Reset Password
Validated write to DNS host name
Validated write to service principal name
Write Account Restrictions

(see http://support.microsoft.com/kb/238793/en-us)

steamfish · Jul 29, 2006

George said:
Hi,

I am looking first of all to block all domain users to add machines to the
domain. I do not want to allow anyone besides Domain Admins and one other
account to add machines to the domain.

So the other is where do I need to configure to allow this user to add
machines to the domain. This user will be like a service account i do not
want to give him login privileges. Will be used with SMS and BDD.

I am slightly confused regarding local security policy, domain security
policy, domain controler security policy.

Thanks for your help,

George

Greg O · Jul 30, 2006

This is explained in detail in "Mastering Windows Server 2003" by Mark
Minasi Chapter 5.

"But you can change that. If you like, you can create a whole new group
called Installers. Then we'll
give the group the power to change machine passwords and delete machine
accounts."

George Spiro · Jul 31, 2006

I dont see the value Create Computer Object, I got only Create global
objects.

Andrei Ungureanu [MVP] · Jul 31, 2006

you can set the Create Computer Objects permission by using the Delegate
Control wizard. Right click on an OU and start the wizard.

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

Steven L Umbach · Aug 1, 2006

Where are you seeing create global objects?? Anyhow go to the advanced page
of the security page of the Active Directory container [using Active
Directory Users and Computers] that you want to give the user/group
permissions to and then you should see create computer objects when you add
or edit a user/group in the access control list.

Unable to add workstation to domain	1	Jun 28, 2004
adding workstation to domain	1	Oct 25, 2004
permission to add workstation to domain	2	Aug 18, 2003
User Access to a DC	8	Feb 13, 2009
Unable To Delegate Add Workstation To Domain	1	Jun 28, 2004
HELP - specifying ability to add a workstation to a domain.	1	May 9, 2005
GP -- adding workstation to domain	3	Oct 24, 2004
How to check bad password login in Windows 2003 domain controller?	1	Jun 1, 2009

Add workstation to Domain

George Spiro

Andrei Ungureanu [MVP]

Bruce Sanderson

steamfish

Greg O

George Spiro

Andrei Ungureanu [MVP]

Steven L Umbach

Ask a Question

Similar Threads