Adding machine accounts

[Guest]

By default authenticated users are allowed to add up to 10 machine accounts to the domain. This doesn't seem to be working for me. I have the following questions:

1) What security needs to be set on the computers container? Do authenticated users need any rights beyond read?

2) Does the security rights "Add workstations to domain" need to be configured?

3) Are there any other places to set control the ability to add workstations.


Thanks

 

[Matjaz Ladava [MVP]]

1. No special security settings are needed.
2. No you don't need that right. That was for NT domains
3. You can delegate the control of Computers container in AD to your users
to create computer objects. Use Delegation of control wizard at your
Computers container.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

By default authenticated users are allowed to add up to 10 machine

accounts to the domain. This doesn't seem to be working for me. I have the
following questions:

1) What security needs to be set on the computers container? Do

authenticated users need any rights beyond read?

 

[Johan]

Should the add computer to domain delegation also be set on the domain
level or is delegated control on computer container/OU enough?
Also which rights should be set since I'm wrestling already a long
time with this issue..

 

[Herb Martin]

Should the add computer to domain delegation also be set on the domain
level or is delegated control on computer container/OU enough?

If you only wish to delegate the PERMISSION within the smaller
container, then only set it on that specific container (or tree.)

Also which rights should be set since I'm wrestling already a long
time with this issue..

The terminology gets very confusing here, since "adding a computer
to the domain" was a RIGHT (only) in NT4

But adding a computer to an OU is a PERMISSION on that OU starting
in Win2000.

There are subtle difference between Rights and Permission on Microsoft
systems.

One privilege that has never been fully explicated is the "right or
permission"
to dial in using RRAS (even in NT4 it was just a setting on the users
account).

 

[Matjaz Ladava [MVP]]

you set this only on Computers OU. See
http://support.microsoft.com/?kbid=251335 fro detailed instructions.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Johan]

Right...

Is it possible to change the default permission when creating a
computeraccount within a OU who can join th ecomputer to the domain..?

you set this only on Computers OU. See
http://support.microsoft.com/?kbid=251335 fro detailed instructions.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Should the add computer to domain delegation also be set on the domain
level or is delegated control on computer container/OU enough?
Also which rights should be set since I'm wrestling already a long
time with this issue..


"Matjaz Ladava [MVP]" <matjaz@_nospam_ladava.com> wrote in message

to be
configured?

 

[Herb Martin]

Is it possible to change the default permission when creating a

computeraccount within a OU who can join th ecomputer to the domain..?

When you created the computer account, you (in a real sense) 'joined
the computer to the domain' -- anyone can do the install or connection
now because the "computer account" is doing the actual first authentication.

 

[Johan]

never mind, found the authenticate to permission already...
Hmm... MS should hurry up with that delegation white paper...or is
there another paper/book which describes all permission settings...?

 

[Herb Martin]

never mind, found the authenticate to permission already...
Hmm... MS should hurry up with that delegation white paper...or is
there another paper/book which describes all permission settings...?

What did you find?

One reason many of us help with questions is so that we ourselves will learn
more....

 

[Johan]

I've set the permission "Allowed to Authenticate" on Computer Objects
on the OU to the group so the default setting is set OK.

never mind, found the authenticate to permission already...
Hmm... MS should hurry up with that delegation white paper...or is
there another paper/book which describes all permission settings...?

What did you find?

One reason many of us help with questions is so that we ourselves will learn
more....

--
Herb Martin

(e-mail address removed) (Johan) wrote in message your
users

I have
thecontainer? Do
authenticated users need any rights beyond read?to add
workstations.