Security Requirements for Joining PC to AD??

[Guest]

Hi,
Is it possible to setup an Account that can join PC's to
AD without making the account a member of Admins Admins???

(I want to give the account the minimum rights necessary
to join a PC to the W2K AD)

Many thanks


G

 

[Danny Sanders]

A "regular" user account can join 10 PCs to the domain.

hth
DDS W 2k MVP MCSE

 

[Karl Levinson [x y] mvp]

I could be wrong, but I do not believe that to be true.

 

[Steven L Umbach]

For whatever reason Microsoft did incorporate that into a default setup of an Active
Directory domain, which comes as a surprise to a lot of administrators, in the user
rights assignment for "add workstations to the domain" in the Domain Controller
Security policy. I am not sure it is the same in Windows 2003. Many argue that it is
not a big deal since a machine joined to the domain will have all the machine
configuration policies applied to it. However if a domain is set up to use ipsec
negotiation to protect domain machines from non domain machines, then it certainly
can be a security risk if anyone with a domain account can join their home laptop to
the domain. It is also a security risk when auto enrollment of machine certificates
is enabled. Not sure what the thinking was behind giving domain users that
ight. --- Steve

I could be wrong, but I do not believe that to be true.

A "regular" user account can join 10 PCs to the domain.

hth
DDS W 2k MVP MCSE