Need help with delegating GPO rights

Michael Holzemer · Dec 24, 2003

BoostGeek said:
We have some technicians that are somewhat inadequate when it comes to
being computer savvy. But I need them to be able to add workstations
to the domain, logon on to servers (DCs and Member), shut down servers
and view the event log.

I understand the Add Workstations To Domain right works but it only
works up to 10 times. I know the Create computer objects right would
solve this but with wanting them to be able to login, I don't actually
want them to be able to go into the structure and add objects by
mistake in there, other than the computers they add to the domain.

What have you seen that indicates that the add workstation to the domain
right works only 10 times? I am familiar with the fact that the default
logons without a domain controller is 10 times (max 50), but have yet to see
a limit on the add rights. Is this perhaps what you are referring to?

--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp

Herb Martin · Dec 24, 2003

We have some technicians that are somewhat inadequate when it comes to

being computer savvy. But I need them to be able to add workstations
to the domain, logon on to servers (DCs and Member), shut down servers
and view the event log.

Pretty much sounds like an "Account Operator" -- check it out and see
if that meets you needs.

BoostGeek · Dec 24, 2003

We have some technicians that are somewhat inadequate when it comes to
being computer savvy. But I need them to be able to add workstations
to the domain, logon on to servers (DCs and Member), shut down servers
and view the event log.

I understand the Add Workstations To Domain right works but it only
works up to 10 times. I know the Create computer objects right would
solve this but with wanting them to be able to login, I don't actually
want them to be able to go into the structure and add objects by
mistake in there, other than the computers they add to the domain.

Any info would be great. Thanks.

BoostGeek

BrianK · Dec 24, 2003

Account operator would allow also allow the techs to create user accounts &
groups, probably something that Boast does not want.
Boast,
Take an OU, right click, select Delegate control, and then give the techs
the ability to add computer objects to the domain. The techs can then add
computer accounts to the domain.
As far as logon onto the server, make the techs Server Operators to log and
shut down the server.
HTH,
BrianK

BrianK · Dec 24, 2003

Domain Users are allowed to create up to 10 computer accounts in the domain.
The purpose was for RIS so that a user could stage their own computers.
http://www.microsoft.com/technet/tr...technet/prodtechnol/winxppro/proddocs/526.asp
HTH,
BrianK

Unable To Delegate Add Workstation To Domain	1	Jun 28, 2004
How to allow grant,,permission an specific assigned user/group to add workstation to the domain?	3	Aug 16, 2005
Delegation Rights ?	1	Aug 2, 2005
Delegating renaming a computer account	1	Aug 5, 2004
Unable to add workstation to domain	1	Jun 28, 2004
Rights to join a computer to workstation	5	Mar 31, 2005
GP -- adding workstation to domain	3	Oct 24, 2004
How do I edit a Domain GPO from a workstation?	2	Aug 14, 2003

Need help with delegating GPO rights

Michael Holzemer

Herb Martin

BoostGeek

BrianK

BrianK

Ask a Question

Similar Threads