account for tech to add pc's to domain

[Guest]

Hello,

I used the "delegate Control" Wizard, picked an account, selected "Join a
computer to domain" and finished. Problem is that I cant add computers to the
domain with that account?

Is there a better way to do this?

thanks

 

[ptwilliams]

Has this user joined any machines to the domain in the past?

What error do you get?

What (advanced) permissions does this user have on the USERS container?


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Hello,

I used the "delegate Control" Wizard, picked an account, selected "Join a
computer to domain" and finished. Problem is that I cant add computers to
the
domain with that account?

Is there a better way to do this?

thanks

 

[Guest]

No has not joined any machines in the past. A new account. First time setting
this up. The error is a permissions error. The account has "create computer
Objects" permissions.

 

[Oli Restorick [MVP]]

Which container did you delegate access for? Machines are, by default,
added to the Computers container.

I'd also recommend using a group for the purpose of delegation.

It sounds like you're already aware that the right to "Add workstations to
the domain" in user rights assignment is different from delegated control to
add or delete computer accounts to or from a container.

Oli

 

[Guest]

Whoops!!! Meant to say COMPUTERS container [blush]

Did you configure permissions on the Computers container or an OU?

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Guest]

Can you elaborate on the difference between delegate control and user rights?

I would like to have a group that can add machines to the domain from the
workstations and have them go into a specific ou container that they are in
not the default computer container.
I have the group set up and the delegate control seems correct but can't get
the container thing fugured out. It always goes to the default container even
though the group only has security set up on a specific ou container.

 

[Oli Restorick [MVP]]

Hi there.

The user interface for joining a PC to the domain from the client does not
allow you to enter an OU, so things always go to the Computers container.
There are two ways around this. The first is for an admin to create the
computer accounts (using dsa.msc). The second is to use the netdom.exe
utility (which can be found in the Support Tools folder on your Windows CD).
This has command-line parameters to allow you to specify an OU as an LDAP
path.

Hope that made sense.

Regards

Oli