Re: User account that may generate computer accounts

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Thanks a lot, that was the thing I searched.

but...

uh...

*everybody*, who has a domain user account (even guests?) is allowed to join
his or her computer to my domain - up to 10? That is something I definitely
not want. Is there anyway to only let people that own the "Add workstations
to domain" right add a computer to the domain?



"Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx> schrieb im Newsbeitrag
news:Ou$VwY6VFHA.2256@xxxxxxxxxxxxxxxxxxxxxxx
> By default all users have the right to add 10 computer accounts. If you
> just want to delegate this right to a user you'll find details here:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/7207aa3e-d95d-4176-a1ca-bc629f1ca698.mspx
>
> Regards,
> /Jimmy
> --
> Jimmy Andersson, Q Advice AB
> Microsoft MVP - Directory Services
> ---------- www.qadvice.com ----------
>
>
> "news.microsoft.com" <byespammers@xxxxxxxxx> wrote in message
> news:eLOMYQ6VFHA.3488@xxxxxxxxxxxxxxxxxxxxxxx
>> Hello everybody,
>>
>> I want to create a user in my AD (Win2003), that is able to create
>> computer accounts in the domain but may not create or edit user accounts.
>> How can I accomplish this? Can I somehow set the rights on the
>> "Computers" folder using the AD Users&Computers tool to set this right?
>>
>> The reason I want to do this is for unattended installation scripts
>> (winnt.sif), that contain a domain admin password on a diskette. Now if
>> some user gets this disk accidently s/he should at least not be able to
>> modify user accounts and for example give him/herself admin rights.
>>
>>
>
>



.

Relevant Pages

  • Re: Changed admin name - how about the corresponding folder in Documents and settings
    ... a user accounts dialog box try changing user name from there. ... Reset the ... gpedit change before u do this. ... with admin rights (becoz i can't delete this new admin rights account ...
    (microsoft.public.windowsxp.customize)
  • Re: User accounts
    ... Hi - you can't really stop anyone with admin rights from accessing whatever ... Express or Forte Agent rather than the web interface to the newsgroups - ... > I have three user accounts on a computer, ... > accounts and administrative tools?? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Creating/editing user accounts
    ... Subject: Creating/editing user accounts ... You can *very* easily delegate the ability to create and edit user accounts ... without giving admin rights in AD. ... you should not be giving administrative rights to accomplish ...
    (Focus-Microsoft)
  • Re: Report on administrator user accounts....
    ... a script is what will be required. ... A tool you can use centrally to enumerate the administrator group on each remote workstation is LG http://www.joeware.net/win/free/tools/lg.htm ... on the pc,s are defined by the user accounts within control panel - User accounts. ... i need a report on the users that have admin rights to there pc on the network. ...
    (microsoft.public.security)
  • Re: adminitrator account
    ... change picture. ... all other options tells you that administrator is needed.. ... > It's in User accounts, click on 'change the way users log on or off'. ... >>> users with admin rights are able to start in safe mode. ...
    (microsoft.public.windowsxp.help_and_support)