Re: User account that may generate computer accounts

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx>
• Date: Mon, 16 May 2005 10:22:19 +0200

---

If memory serves it's Authenticated Users not Everybody.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"Lofote" <byespammers@xxxxxxxxx> wrote in message
news:uRDAgRGWFHA.2928@xxxxxxxxxxxxxxxxxxxxxxx
> Thanks a lot, that was the thing I searched.
>
> but...
>
> uh...
>
> *everybody*, who has a domain user account (even guests?) is allowed to
> join
> his or her computer to my domain - up to 10? That is something I
> definitely
> not want. Is there anyway to only let people that own the "Add
> workstations
> to domain" right add a computer to the domain?
>
>
>
> "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx> schrieb im Newsbeitrag
> news:Ou$VwY6VFHA.2256@xxxxxxxxxxxxxxxxxxxxxxx
>> By default all users have the right to add 10 computer accounts. If you
>> just want to delegate this right to a user you'll find details here:
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/7207aa3e-d95d-4176-a1ca-bc629f1ca698.mspx
>>
>> Regards,
>> /Jimmy
>> --
>> Jimmy Andersson, Q Advice AB
>> Microsoft MVP - Directory Services
>> ---------- www.qadvice.com ----------
>>
>>
>> "news.microsoft.com" <byespammers@xxxxxxxxx> wrote in message
>> news:eLOMYQ6VFHA.3488@xxxxxxxxxxxxxxxxxxxxxxx
>>> Hello everybody,
>>>
>>> I want to create a user in my AD (Win2003), that is able to create
>>> computer accounts in the domain but may not create or edit user
>>> accounts.
>>> How can I accomplish this? Can I somehow set the rights on the
>>> "Computers" folder using the AD Users&Computers tool to set this right?
>>>
>>> The reason I want to do this is for unattended installation scripts
>>> (winnt.sif), that contain a domain admin password on a diskette. Now if
>>> some user gets this disk accidently s/he should at least not be able to
>>> modify user accounts and for example give him/herself admin rights.
>>>
>>>
>>
>>
>
>
>


.

---

• Follow-Ups:
  • Re: User account that may generate computer accounts
    • From: Lofote

• References:
  • User account that may generate computer accounts
    • From: news.microsoft.com
  • Re: User account that may generate computer accounts
    • From: Jimmy Andersson [MVP]
  • Re: User account that may generate computer accounts
    • From: Lofote

• Prev by Date: Re: Allowing Remote Admin Some Control
• Next by Date: Re: User account that may generate computer accounts
• Previous by thread: Re: User account that may generate computer accounts
• Next by thread: Re: User account that may generate computer accounts
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: No Admin Access To c$?? ... >> Jimmy Andersson, Q Advice AB ... >> Microsoft MVP - Directory Services ... (microsoft.public.win2000.active_directory) Re: No Admin Access To c$?? ... >> Jimmy Andersson, Q Advice AB ... >> Microsoft MVP - Directory Services ... (microsoft.public.windows.server.active_directory) Re: No Admin Access To c$?? ... >> Jimmy Andersson, Q Advice AB ... >> Microsoft MVP - Directory Services ... (microsoft.public.win2000.group_policy) Re: No Admin Access To c$?? ... >> Jimmy Andersson, Q Advice AB ... >> Microsoft MVP - Directory Services ... (microsoft.public.windows.group_policy) Re: Replacing domain controller ... > Jimmy Andersson, Q Advice AB ... > Microsoft MVP - Directory Services ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-05