Let user add workstation to domain?

[Anders Biro]

Hello, I got this specific situation where I really need to let one specific
user add and remove workstations to the domain but _nothing_ else and that
is why I cannot add it to the built-in groups.
(Alternatively I would like to only let users add specific workstations to
the domain)

To my understanding this would be possible with the "Add workstations to
domain" setting under "User rights" in the Local Policy part of the Group
Policy, adding specific domain accounts to this right does however not
accomplish anything but I still get acess denied with the specific accounts
when adding/removing workstations to the domain.

What am I doing wrong?
/Regards
Anders

 

[Pegasus \(MVP\)]

Hello, I got this specific situation where I really need to let one specific
user add and remove workstations to the domain but _nothing_ else and that
is why I cannot add it to the built-in groups.
(Alternatively I would like to only let users add specific workstations to
the domain)

To my understanding this would be possible with the "Add workstations to
domain" setting under "User rights" in the Local Policy part of the Group
Policy, adding specific domain accounts to this right does however not
accomplish anything but I still get acess denied with the specific accounts
when adding/removing workstations to the domain.

What am I doing wrong?
/Regards
Anders

I suppose you're aware that a workstation can access
domain resources even if it is not joined to the domain,
as long as the local account/password agrees with the
domain account/password.

 

[Richard G. Harper]

You need to delegate that right to users in the domain group policy, not the
local group policy.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Anders Biro]

OK, I rightclick the domain in question from the AD snap-in and choose to
edit the group policy option.
In the policy window of the domain I modify the "Join workstation to domain"
setting located from
Computer Configuration->Windows Settings->Security Settings->Local
Policies-> User Rights Assignment

This does not seem to work so is this not the right location?
/Regards Anders

You need to delegate that right to users in the domain group policy, not
the local group policy.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Hello, I got this specific situation where I really need to let one
specific user add and remove workstations to the domain but _nothing_
else and that is why I cannot add it to the built-in groups.
(Alternatively I would like to only let users add specific workstations
to the domain)

To my understanding this would be possible with the "Add workstations to
domain" setting under "User rights" in the Local Policy part of the Group
Policy, adding specific domain accounts to this right does however not
accomplish anything but I still get acess denied with the specific
accounts when adding/removing workstations to the domain.

What am I doing wrong?

/Regards Anders

 

[Richard G. Harper]

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx#EHAA

Check the section on "User Rights Assignment Settings".

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

OK, I rightclick the domain in question from the AD snap-in and choose to
edit the group policy option.
In the policy window of the domain I modify the "Join workstation to
domain" setting located from
Computer Configuration->Windows Settings->Security Settings->Local
Policies-> User Rights Assignment

This does not seem to work so is this not the right location?
/Regards Anders

You need to delegate that right to users in the domain group policy, not
the local group policy.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Hello, I got this specific situation where I really need to let one
specific user add and remove workstations to the domain but _nothing_
else and that is why I cannot add it to the built-in groups.
(Alternatively I would like to only let users add specific workstations
to the domain)

To my understanding this would be possible with the "Add workstations to
domain" setting under "User rights" in the Local Policy part of the
Group Policy, adding specific domain accounts to this right does however
not accomplish anything but I still get acess denied with the specific
accounts when adding/removing workstations to the domain.

What am I doing wrong?

/Regards Anders

 

[Anders Biro]

I am afraid I still get "access denied" when attempting to join the domain,
I also tried to delegate "join computer to domain" according to
http://www.computing.net/windows2003/wwwboard/forum/3796.html
with no success.

Can the fact that I do not join a physical computer but rather a virtual
VMware machine cause trouble?
The very reason I want to delegate this in the first place is that VMWare
machines tend to lose their domain membership and users repeatedly have to
ask me to rejoin it with my admin account.
/Regards Anders

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx#EHAA

Check the section on "User Rights Assignment Settings".

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

OK, I rightclick the domain in question from the AD snap-in and choose to
edit the group policy option.
In the policy window of the domain I modify the "Join workstation to
domain" setting located from
Computer Configuration->Windows Settings->Security Settings->Local
Policies-> User Rights Assignment

This does not seem to work so is this not the right location?
/Regards
Anders

You need to delegate that right to users in the domain group policy, not
the local group policy.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Hello, I got this specific situation where I really need to let one
specific user add and remove workstations to the domain but _nothing_
else and that is why I cannot add it to the built-in groups.
(Alternatively I would like to only let users add specific workstations
to the domain)

To my understanding this would be possible with the "Add workstations
to domain" setting under "User rights" in the Local Policy part of the
Group Policy, adding specific domain accounts to this right does
however not accomplish anything but I still get acess denied with the
specific accounts when adding/removing workstations to the domain.

What am I doing wrong?

/Regards Anders

 

[Anders Biro]

Never mind, following steps solver my problem:

1. On your DC open ADUC
2. Right-click the container that you want the group to have delegative
control over and select "Delegate Control"
3. Click Next and then Add
4. Add the user account/group and click Next
5. Click the "Create Custom Task" to delegate option and then click Next
6. Click "Only the Following Objects" and "Create Selected Objects in this
folder" and click Next.
7. Click "Create all Child Objects" and click Next
8. Click Finish.

I am afraid I still get "access denied" when attempting to join the domain,
I also tried to delegate "join computer to domain" according to
http://www.computing.net/windows2003/wwwboard/forum/3796.html
with no success.

Can the fact that I do not join a physical computer but rather a virtual
VMware machine cause trouble?
The very reason I want to delegate this in the first place is that VMWare
machines tend to lose their domain membership and users repeatedly have to
ask me to rejoin it with my admin account.
/Regards Anders

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx#EHAA

Check the section on "User Rights Assignment Settings".

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

OK, I rightclick the domain in question from the AD snap-in and choose
to edit the group policy option.
In the policy window of the domain I modify the "Join workstation to
domain" setting located from
Computer Configuration->Windows Settings->Security Settings->Local
Policies-> User Rights Assignment

This does not seem to work so is this not the right location?
/Regards
Anders

You need to delegate that right to users in the domain group policy,
not the local group policy.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Hello, I got this specific situation where I really need to let one
specific user add and remove workstations to the domain but _nothing_
else and that is why I cannot add it to the built-in groups.
(Alternatively I would like to only let users add specific
workstations to the domain)

To my understanding this would be possible with the "Add workstations
to domain" setting under "User rights" in the Local Policy part of the
Group Policy, adding specific domain accounts to this right does
however not accomplish anything but I still get acess denied with the
specific accounts when adding/removing workstations to the domain.

What am I doing wrong?

/Regards Anders

 

[Richard G. Harper]

Glad to hear that you finally got it sorted out.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Never mind, following steps solver my problem:

1. On your DC open ADUC
2. Right-click the container that you want the group to have delegative
control over and select "Delegate Control"
3. Click Next and then Add
4. Add the user account/group and click Next
5. Click the "Create Custom Task" to delegate option and then click Next
6. Click "Only the Following Objects" and "Create Selected Objects in this
folder" and click Next.
7. Click "Create all Child Objects" and click Next
8. Click Finish.

I am afraid I still get "access denied" when attempting to join the
domain, I also tried to delegate "join computer to domain" according to
http://www.computing.net/windows2003/wwwboard/forum/3796.html
with no success.

Can the fact that I do not join a physical computer but rather a virtual
VMware machine cause trouble?
The very reason I want to delegate this in the first place is that VMWare
machines tend to lose their domain membership and users repeatedly have
to ask me to rejoin it with my admin account.
/Regards Anders

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx#EHAA

Check the section on "User Rights Assignment Settings".

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


OK, I rightclick the domain in question from the AD snap-in and choose
to edit the group policy option.
In the policy window of the domain I modify the "Join workstation to
domain" setting located from
Computer Configuration->Windows Settings->Security Settings->Local
Policies-> User Rights Assignment

This does not seem to work so is this not the right location?
/Regards
Anders

You need to delegate that right to users in the domain group policy,
not the local group policy.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Hello, I got this specific situation where I really need to let one
specific user add and remove workstations to the domain but _nothing_
else and that is why I cannot add it to the built-in groups.
(Alternatively I would like to only let users add specific
workstations to the domain)

To my understanding this would be possible with the "Add workstations
to domain" setting under "User rights" in the Local Policy part of
the Group Policy, adding specific domain accounts to this right does
however not accomplish anything but I still get acess denied with the
specific accounts when adding/removing workstations to the domain.

What am I doing wrong?

/Regards Anders

 

[Guest]

I solved a similar joining to domain problem by doing:

oDomain level permissions Apply Onto: Computer Objects
Validated write to service principal name [Object tab]
Read Account Restrictions [Properties tab]
Write Account Restrictions [Properties tab]
Reset Password [Object tab]
oDomain level permissions Apply Onto: This object and all child objects
Create Computer Objects [Object tab]
Delete Computer Objects [Object tab]

This is the minimal permissions I've found that allow a user to join a PC to
the domain, overwrite a PC thats already joined, or delete the computer from
the domain. hope this helps!

Glad to hear that you finally got it sorted out.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Never mind, following steps solver my problem:

1. On your DC open ADUC
2. Right-click the container that you want the group to have delegative
control over and select "Delegate Control"
3. Click Next and then Add
4. Add the user account/group and click Next
5. Click the "Create Custom Task" to delegate option and then click Next
6. Click "Only the Following Objects" and "Create Selected Objects in this
folder" and click Next.
7. Click "Create all Child Objects" and click Next
8. Click Finish.

I am afraid I still get "access denied" when attempting to join the
domain, I also tried to delegate "join computer to domain" according to
http://www.computing.net/windows2003/wwwboard/forum/3796.html
with no success.

Can the fact that I do not join a physical computer but rather a virtual
VMware machine cause trouble?
The very reason I want to delegate this in the first place is that VMWare
machines tend to lose their domain membership and users repeatedly have
to ask me to rejoin it with my admin account.
/Regards Anders

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx#EHAA

Check the section on "User Rights Assignment Settings".

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


OK, I rightclick the domain in question from the AD snap-in and choose
to edit the group policy option.
In the policy window of the domain I modify the "Join workstation to
domain" setting located from
Computer Configuration->Windows Settings->Security Settings->Local
Policies-> User Rights Assignment

This does not seem to work so is this not the right location?
/Regards
Anders

You need to delegate that right to users in the domain group policy,
not the local group policy.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Hello, I got this specific situation where I really need to let one
specific user add and remove workstations to the domain but _nothing_
else and that is why I cannot add it to the built-in groups.
(Alternatively I would like to only let users add specific
workstations to the domain)

To my understanding this would be possible with the "Add workstations
to domain" setting under "User rights" in the Local Policy part of
the Group Policy, adding specific domain accounts to this right does
however not accomplish anything but I still get acess denied with the
specific accounts when adding/removing workstations to the domain.

What am I doing wrong?

/Regards Anders

 

[sri]

open the domain controllers security policy in administrative tool then
open the user assignment policy
and select the add workstation to doamain and add the user to that
policy and gpupdate it
or after adding user restart the machine it will work and it is nt a
big problem

happy new year to all

regards

sridhar