"Add workstations to domain"

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello all,

May be a silly question, however:

I have created an ordinary domain user in a group within an OU (Staff OP's). I intended this user to have the ability to add workstations to a domain using the "User Rights Assignments". I do not want them to be a member of any group except Domain Users. The problem i'm finding is that the user already seems to be able to join computers to a domain without specifying the priviledge. He's not an administrator or a member of. Can anyone tell me why this maybe happening?

Thanks in advance.
 
In AD domain a normal user has ability to add up to 10 computers to the
domain.
See http://support.microsoft.com/?kbid=251335 for all posibilities why and
how to change this behaviour.

--
Regards

Matjaz Ladava
MVP Windows Server - Directory Services
(e-mail address removed), (e-mail address removed)
 
Hi Matjaz,

Thank you for the quick reply. However, why is this the case? I would have thought a user would either have priviledges to join a domain or not at all. It seems very strange there is a 10 workstation limit.

Cheers
 
So that a normal user can't abuse the ability and D.O.S. an environment by
creating millions of accounts.
 
As to WHY, Because Microsoft decided to do it that way.

See tip 8144 and links in the 'Tips & Tricks' at http://www.jsiinc.com

You can use netdom to create the accounts in the OU of your choice, tip 3818.




I know I'm being a real pain now but how come by default a normal domain user has this ability? I find it strange as I would have thought this was a role only for someone with admin rights??? Is this also the same for Server 2003?

Oh one more question: is it possible to create a computer account within a specific OU from the workstation itself, rather than manually moving it from the normal Computers container to the OU you wish it to be in?

Thank you and your patience is much appreciated.
Click to expand...


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
In Windows 2003 domain you can redirect default computer creation with
redircmp command so that by default computer accounts are created in OU by
your choice.

--
Regards

Matjaz Ladava
MVP Windows Server - Directory Services
(e-mail address removed), (e-mail address removed)
 
This has been a topic of much discussion, I think the generally accepted answer
is to help in the cases of small sites that don't have a lot of admins. The
users can help themselves and in the cases of sites with users with laptops who
go to business sites, join the domain there and then come home and need to join
their work domain again.

On the second question, you can script this using adsi or wrapping netdom in a
batch file or script.

joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

HELP - specifying ability to add a workstation to a domain. 1
How to allow grant,,permission an specific assigned user/group to add workstation to the domain? 3
Unable to add workstation to domain 1
Unable To Delegate Add Workstation To Domain 1
Add workstations to domain 1
Rights to join a computer to workstation 5
Prevent users from joining Computers to domain? 4
Add workstations to Domain rights? 2

Back
Top