Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4)

[J.H]

Hi,
Previously, we removed the right to add workstation to Windows 2000 domain.
However, now we are trying to expand our IT dept, so hiring more IT Help
Desk Support,
We'd like to allow IT Help Desk Support technician to: (without giving the
account
domain_admin right)

a. login onto the workstation with administrator privilege (domain logon)
b. having ability to add any workstation onto the Windows 2000 domain

Any one can suggest the hint, please let us know, we appreciate your help

Regards,
JPTH

 

[Jorge de Almeida Pinto [MVP - DS]]

removing authenticated users from that user right is good! ;-)

A) create a group in AD and use the restricted groups feature within a GPO
and make that group a member of the local administrators group. Link the GPO
to the OU where the computer accounts are in
B) delegate the right to create computer accounts within some OU

also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[J.H]

Hi there,

Can you be more specific? step by step please

a. Create an OU or a group in Active Directory?
b. More specific pelase!!

Thanks so much for your input
Regards,
JPTH

"Jorge de Almeida Pinto [MVP - DS]"

 

[Paul Bergson [MVP-DS]]

Just use a standard domain user and create a new domain group that is placed
into the local administrators group on the workstation. If you use
restricted groups you can then modify the group membership to get users into
and out of the local admin groups with minimal effort.

The gpo settings are at:

computer configuration \ windows settings \ restricted groups

group = your group to be made local admins
member of = BUILTIN\Administrators

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.microsoft.com/technet/pr...Ref/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx
http://www.microsoft.com/resources/...all/proddocs/en-us/sag_scerestrictgroups.mspx

There is absolutely nothing that has to be done on the client side.



Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.

To provide users the ability to add workstations Delegate the right to a
group (The same group as in the restricted group used above?).

Create a new security group and provide it the ability to only join
computers to the domain via the "Delegation of Control" wizard. Then join
the user account to this new group.

http://www.microsoft.com/technet/pr...ogies/activedirectory/stepbystep/ctrlwiz.mspx

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[J.H]

Hi there,

Thanks for your reply.

1. Should I create Security Global group or Domainlocal Security?

2. I see that I can create a domain user account, add this user account onto
the domain
group that I just created, and in restricted group, add the domain group
onto the restricted
group of GPO, then member = BUILTIN\Administrator

Is that it?

Thanks,
JPTH

 

[J.H]

Hi Paul,

What is additional member of built-in group so a domain user account will be
able to
join computer to the domain? is it Built-in Account operator? or must do
another tweak?

Thanks for your input,
JPTH

 

[Paul Bergson [MVP-DS]]

1) I would use a global group
2) I believe I follow you and yes that sounds right.



--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Paul Bergson [MVP-DS]]

Sorry, I don't follow your question

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[J.H]

Thanks Paul,

I tested, it works fine.

Thanks!!

Regards,
JPTH

 

[Paul Bergson [MVP-DS]]

Glad to help

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.