Add workstation to Domain

[George Spiro]

Hi,

I am looking first of all to block all domain users to add machines to the
domain. I do not want to allow anyone besides Domain Admins and one other
account to add machines to the domain.

So the other is where do I need to configure to allow this user to add
machines to the domain. This user will be like a service account i do not
want to give him login privileges. Will be used with SMS and BDD.

I am slightly confused regarding local security policy, domain security
policy, domain controler security policy.

Thanks for your help,

George

 

[Andrei Ungureanu [MVP]]

you'll need to modify Default Domain Controller Policy.
http://technet2.microsoft.com/Windo...d95d-4176-a1ca-bc629f1ca6981033.mspx?mfr=true

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

 

[Bruce Sanderson]

See http://support.microsoft.com/default.aspx?scid=kb;en-us;243327

A user needs the following permissions on pre created computer accounts to
be able to join a computer to the domain (after they have joined 10
computers - unless the number is changed per the above):

Reset Password
Validated write to DNS host name
Validated write to service principal name
Write Account Restrictions

(see http://support.microsoft.com/kb/238793/en-us)

 

[steamfish]

Hi,

I am looking first of all to block all domain users to add machines to the
domain. I do not want to allow anyone besides Domain Admins and one other
account to add machines to the domain.

So the other is where do I need to configure to allow this user to add
machines to the domain. This user will be like a service account i do not
want to give him login privileges. Will be used with SMS and BDD.

I am slightly confused regarding local security policy, domain security
policy, domain controler security policy.

Thanks for your help,

George

 

[Greg O]

This is explained in detail in "Mastering Windows Server 2003" by Mark
Minasi Chapter 5.

"But you can change that. If you like, you can create a whole new group
called Installers. Then we'll
give the group the power to change machine passwords and delete machine
accounts."

 

[George Spiro]

I dont see the value Create Computer Object, I got only Create global
objects.

 

[Andrei Ungureanu [MVP]]

you can set the Create Computer Objects permission by using the Delegate
Control wizard. Right click on an OU and start the wizard.

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

 

[Steven L Umbach]

Where are you seeing create global objects?? Anyhow go to the advanced page
of the security page of the Active Directory container [using Active
Directory Users and Computers] that you want to give the user/group
permissions to and then you should see create computer objects when you add
or edit a user/group in the access control list.