Rights to join a computer to workstation

[Theepan]

Hi,

What are the MINIMAL required permissions/rights in order for a user to be
able to join a domain? The scenario is to create a user with minimal rights,
who can only join/add workstations to the domain.

I've created a domain user, removed him from all default groups and made him
member of "Domain Guests" group only.

Next I've added this user to the Domain Security policy "Add Workstations to
domain".

Now, this user also needs permissions/rights in the "Computers" container as
well as the other OUs, where he should be able to join/add workstation into.
Are there any docs describing the minimal required permissions to do so?

The domain is in Windows 2000 Native mode.

Until today this has worked fine - the error code I get from NETDOM now is
8557, which is:

"Your computer could not be joined to the domain. You have exceeded the
maximum number of computer accounts you are allowed to create in this
domain. Contact your system administrator to have this limit reset or
increased."

Afaik, this limit should not exist for users with the policy "Add
Workstations to domain".

Any ideas?

 

[Guest]

In a Windows 2000 domain, the maximum number of machine accounts that any
authenticated user can join to a domain is 10.
This maximum-limit value can be changed in the Active Directory.

Please refer to following KB article for solution:
http://support.microsoft.com/kb/251335/EN-US/

 

[Guest]

Hi
i would like to ask if you knows what kind of permission the "normal" users
must have to REMOVE a workstation from domain.

I grant the permission "Add workstation to domain" for Install group of
users, but they can't remove a computer from domain when they need to
re-install any computer. That make a lot of calls from this users for us to
manual delete those accounts...

Thanks.
Eduardo S. Antunes
BRASIL

 

[Ulf B. Simon-Weidner [MVP]]

Hi
i would like to ask if you knows what kind of permission the "normal"
users
must have to REMOVE a workstation from domain.

I grant the permission "Add workstation to domain" for Install group of
users, but they can't remove a computer from domain when they need to
re-install any computer. That make a lot of calls from this users for us
to
manual delete those accounts...

Hi Eduardo,

As far as I know they need to be local Admin and require the right to
Delete the Computer Object in AD.

The following guide might help you:

Best Practices for Delegating Active Directory Administration
http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

Best Practices for Delegating Active Directory Administration Appendices
http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en


--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org

 

[Guest]

Thanks Ulf
I grant permissions to Computer Objects to my group and now everything is ok.

Thank you.

 

[Ulf B. Simon-Weidner [MVP]]

Thanks Ulf
I grant permissions to Computer Objects to my group and now everything is
ok.

Thank you.

You're welcome - glad you got it working as you wanted it.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org