Re: User account that may generate computer accounts

Tech-Archive recommends: Fix windows errors by optimizing your registry

By default all users have the right to add 10 computer accounts. If you just
want to delegate this right to a user you'll find details here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/7207aa3e-d95d-4176-a1ca-bc629f1ca698.mspx

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"news.microsoft.com" <byespammers@xxxxxxxxx> wrote in message
news:eLOMYQ6VFHA.3488@xxxxxxxxxxxxxxxxxxxxxxx
> Hello everybody,
>
> I want to create a user in my AD (Win2003), that is able to create
> computer accounts in the domain but may not create or edit user accounts.
> How can I accomplish this? Can I somehow set the rights on the "Computers"
> folder using the AD Users&Computers tool to set this right?
>
> The reason I want to do this is for unattended installation scripts
> (winnt.sif), that contain a domain admin password on a diskette. Now if
> some user gets this disk accidently s/he should at least not be able to
> modify user accounts and for example give him/herself admin rights.
>
>


.