Re: adding workstations to a Win2k domain

From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 03/12/04 

Date: Fri, 12 Mar 2004 09:24:49 -0700

I can't agree more:-). 

-- 
Derek Melber
BrainCore.Net
derekm@braincore.net
"Ulf B. Simon-Weidner [MVP]" <nospam2-ulf@usw-consulting.com> wrote in
message news:MPG.1abb75129caea239989aa3@msnews.microsoft.com...
> Derek Melber [MVP] says...
> > The "Add workstation to domain" user right is NOT required to add
> > workstation accounts to the domain. You only need to delegate the
> > permissions.
> >
> > However, there is a built in limit of 10 computers that anyone can add
to
> > the domain. So, you need to modify AD to allow more. You need to modify
the
> > ms-DS-MachineAccountQuota setting using LDP or ADSIEDIT.
> >
> > Ideally, you will only allow certain users add computers to certain OUs
or
> > containers in the domain. This is done through delegation, not Add
> > workstation to domain user rights. The Add workstations to domain user
right
> > is only for backwards compatibility and it the "old way" of getting the
job
> > done.
> >
> Hello Derek,
>
> as far as I understand the limit of 10 computers does not apply to the
users
> who have delegated rights on a OU or domain to create computer accounts.
The
> limit just applies to the Groups that have the user right to "Add
workstations
> to the domain" (per default Authenticated Users).
>
> If you don't want general users to be able to add computers to the domain
it's
> sufficient to remove Authenticated Users from that user right in the
default
> domain controllers policy.
>
> Modifying the limit of 10 computers is just necessary if you want certain
> groups or authenticated users to add workstations to the domain, but only
a
> certain amount.
>
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner

Relevant Pages

  • Re: Logon Traffic
    ... Either fix this or add DCs for each remote domain ... In this case I assume the workstation & user will try to authenticate and ... connect to a DC in the local site to authenticate. ... Client computers chase the authentication referrals ...
    (microsoft.public.windows.server.active_directory)
  • Re: Computer Migration
    ... I recall the account running ADMT must be a local admin on the workstation ... Usually by configuring a forwarder in the source domain DNS server to ... but when I am migrating computers i always get stuck. ... manually to the new domain but not with ADMT migration tool. ...
    (microsoft.public.windows.server.migration)
  • Re: Computer Migration
    ... Usually by configuring a forwarder in the source domain DNS server to ... but when I am migrating computers i always get stuck. ... manually to the new domain but not with ADMT migration tool. ... sure netlogon and workstation services are running and you can ...
    (microsoft.public.windows.server.migration)
  • Re: ADUC & SBS groups
    ... On the workstation, if you go to CP -> System and flip to the Computer Name ... tab, does it say the computer is a member of the domain? ... fairly obvious error if you tried to modify the local Administrators group ... the SBS and go to AD Users and Computers. ...
    (microsoft.public.windows.server.sbs)
  • Re: ADUC & SBS groups
    ... MyBusiness and SBSComputers are both OUs. ... icons are different - when you look at them in the Group Policy Management ... the workstation, and I agree that you should be able to perform normal ... the Add Computer wizard in SBS places the computers in the latter ...
    (microsoft.public.windows.server.sbs)