GPOs and joining computers to domain

[Russ]

We're using GPOs to apply security group restrictions to add groups to
the local admin accounts on workstations, but we're having problems
with remote sites adding computers to our AD domain. We have an OU
set up for them, and they're delegated permissions to their OU, but
when they try to join a new PC, they are denied. I'm guessing it is
trying to put it in the default computer container instead of their
OU, which they don't have rights to. How do we fix this (script?)
this so our site admins can join PCs to their OUs remotely?

 

[Curtis Clay III [MSFT]]

You can use Netdom.


If /OU is not specified the account is created in the Computers container.

Joining a workstation or member server to a domain
Join mywksta to the devgroup.microsoft.com domain in the Dsys/workstations
organizational unit.

NETDOM JOIN /d:devgroup.microsoft.com
mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com
In addition to adding the computer account to the domain, the workstation is
modified to contain the appropriate shared secret to complete the Join
operation.