rights to add AD objects

[Eric Sabine]

I would like an elevated user to have the rights to add objects to AD,
explicitly new computers, but I don't want to make him a domain admin. What
group does he need to be in?

Thanks

 

[Jimmy Andersson [MVP]]

See this about delegation:
http://www.microsoft.com/windows200...echinfo/reskit/en-us/deploy/dgbd_ads_aimb.asp

Regards,
/Jimmy

 

[Paul Bergson {MCT, MCSE}]

Account Operators but they will be able to manage users as well.

If you want the ability to just add computers then you could grant them the
specific permission via the ou(s) in question. Either create a group
(Recommended) or add the user and go to the security tab on the container in
AD.

Right Click on Container
Select the Security Tab
Choose user or group to provide permissions
Select Advanced
Highlight Group or User
Select Edit
Check Create Computer Object (Delete if you want them to remove)
Ok
Ok
Ok


Paul Bergson MCT, MCSE, CNE, CNA, CCA

 

[Tim Kalligonis]

Anyone can add up to 10 computers to the domain based on the attribute:
ms-DS-MachineAccountQuota. by default that is set to 10.

Best thing to do is:
1. Create a security group called something like "Domain Computer
Administrators"
2. Add that user's account to the group.
3. Delegate control to computer objects at the domain level for that
security group.

If you don't want that user or other users you may add into this security to
control computer object throughout the domain, then create separate security
groups and delegate control at the different OU levels.

If you want to just have this user be able to ADD computers to the domain
and then not be able to move them out of the Computers CN. Then just
delegate control on the Computers Container.