Domain member

[2Sweet]

I have an AD account solely for the purpose of joining workstations as a
domain member. What are the rights to be granted to this account?

 

[Meinolf Weber]

Hello 2Sweet,

Have a look here:
http://support.microsoft.com/kb/932455/en-us

http://support.microsoft.com/kb/243327/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Herb Martin]

I have an AD account solely for the purpose of joining workstations as a
domain member. What are the rights to be granted to this account?

Look into doing this with PERMISSION on the Parent AD Organizational
Units rather than using Rights*.

You should be able to get the least amount of privilege using this approach,
perhaps as little as just the permission to add computers there.

*Rights and Permissions are NOT the same thing on Windows systems
although for some tasks there is an overlap between these privileges.

Generally, rights are more generic (and perhaps more powerful) but there
is no accurate comparison as they really are used quite differently for MOST
tasks.

Rights are given directly to a "Security Principle" (group or user mostly)
and
permissions are actually ON THE OBJECT that lets the group or user to
something TO IT.

Right were needed for adding workstations to the domain in NT since NT
had no granual permission on the accounts database.

Win2000 and later AD has the ability to set PERMISSIONS on any OU (tree)
of the Directory and thus much more closely (granullary) control the same
basic privilege.

 

[2Sweet]

I have followed article KB243327 to increase the number of workstations a
user can join to the domain.
What should i type in the msDS-MachineAccountQuota if i want to allow user
to join 'unlimited' machine accounts to the domain?