User rights Question-tricky

[Nwtest]

I want to give me help dek staff permission to join PC to
the domain. I define a GPO on the domain controllers level
The user right "Add workstation to the domain" and then
add a group call HDESK.

Questions are?
- Will HDESK only allow to join 10 machines or
unlimited? I removed the authenticated users.
- Last Q!I gave somebody folder permission in AD to
create computer at least he can encode the machine name
before joining put it in respective OU and not in the
default computer folder.
However, when the HDESK join the machine with computer
account defined in the OU he got an access denied? When I
ask the user who created the comp account in the folder to
join it works!
Am I missing somthing? I want those machines pre created
in respective OU before joining and want to delegate to my
sec.
Help

 

[DJ]

Ok, by default any user can join the domain with up to 10
machines. Your HDESK group will be no exception unless you
add them to the domain admin group. As far as the access
denied error msg. Make sure your HDESK group has
the "Create Child Objects" permisson on the OU they are
tring to add the computer account to.


HTH

DJ
Norhtrop Grumman IT
A+, Net+, MCP, MCSA

 

[nwtest]

Hi DJ, thanks!
So how can I make my HDesk to join unlimited number of
workstations in my domain.

Do I have to delegate creating computer objecys to HDESK
necessarily or doesnt matter?

 

[Ulf B. Simon-Weidner]

I want to give me help dek staff permission to join PC to
the domain. I define a GPO on the domain controllers level
The user right "Add workstation to the domain" and then
add a group call HDESK.

Questions are?
- Will HDESK only allow to join 10 machines or
unlimited? I removed the authenticated users.
- Last Q!I gave somebody folder permission in AD to
create computer at least he can encode the machine name
before joining put it in respective OU and not in the
default computer folder.
However, when the HDESK join the machine with computer
account defined in the OU he got an access denied? When I
ask the user who created the comp account in the folder to
join it works!
Am I missing somthing? I want those machines pre created
in respective OU before joining and want to delegate to my
sec.
Help

Hi Nwtest,

granting your HDESK group to the "add workstations to the domain" is not the
solution since they'll still be restricted to 10 computer accounts like the
authenticated users group (which is granted this right by default). See the
articles below how to fix this:

314462 "You Have Exceeded the Maximum Number of Computer Accounts" Error
Message When You Try to Join a Windows XP Computer to a Windows 2000 Domain
http://support.microsoft.com/?id=314462

251335 Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/?id=251335

To your second question: If you precreate computer accounts in active directory
you are able to set which users are able to connect to that account. This is
set on the first dialog of the "New Object - Computer" wizard, look at the
lowest inputline "The following user or group can join this computer to a
domain." Just put your HDESK-group in here.

Another solution would be to install the computers as workgroup and put them
into the domain using netdom where you are able to select the ou where the
computer account will be created. Or you are able configuring the ou using a
unattended script also.

150493 How To Join a Domain From the Command Line
http://support.microsoft.com/?id=150493

222525 Automating the Creation of Computer Accounts
http://support.microsoft.com/?id=222525

Gruesse - Sincerely,

Ulf B. Simon-Weidner