Re: Permissions to join machine to domain
- From: "Drew" <Drew@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 9 Feb 2006 07:08:29 -0800
Thanks but those links really didn't help.
I'm looking for just a list of ACL/ACE permissions to allow only joining to
the domain.
"Ace Fekay [MVP]" wrote:
In news:52863A74-AA6E-47BE-907A-F4942603443F@xxxxxxxxxxxxx,.
Drew <Drew@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, which I commented on below:
Hello Microsoft,
I want to delegate the following control to a group. I have to meet
the following criteria
1. Group must be able to join a machine in his/her OU to the domain.
2. UNABLE to change/create/reset/delete or do anything else to the
computer accounts in that OU.
Can anyone break down which granular permissions I need to set on the
OU.....
Thanks
By default, a user can add up to 10 computers in a domain. That can be
changed in ADSI Edit, DomainNC, rt-click properties of the domain.com name,
scroll down to (memory now...) dsmachine quota. By default it's not set, but
it's 10.
For delegation and more info on the above, see the first one below.
251335 - Domain Users Cannot Join Workstation or Server to a Domain:
http://support.microsoft.com/?id=251335
Download details Best Practices for Delegating Active Directory
Administration:
http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
315676 - HOW TO- Delegate Administrative Authority in Windows 2000 (extra
links in this one):
http://support.microsoft.com/default.aspx?scid=kb;en-us;315676
Q279723 - How to Grant Help Desk Personnel the Specific Right to Unlock
Locked User Accounts:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q279723&;
294777 - How to Delegate Group Policy Control to users in Trusted Domain:
http://support.microsoft.com/default.aspx?scid=kb;en-us;294777
221577 - HOW TO- Delegate Authority for Editing a Group Policy Object (GPO):
http://support.microsoft.com/default.aspx?scid=kb;en-us;221577
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.
The only thing in life is change. Anything less is a blackhole consuming
unnecessary energy.
===========================
- Follow-Ups:
- Re: Permissions to join machine to domain
- From: Ace Fekay [MVP]
- Re: Permissions to join machine to domain
- References:
- Re: Permissions to join machine to domain
- From: Ace Fekay [MVP]
- Re: Permissions to join machine to domain
- Prev by Date: Re: One user is having problems
- Next by Date: Re: Problems locating PDC on win2k3 server
- Previous by thread: Re: Permissions to join machine to domain
- Next by thread: Re: Permissions to join machine to domain
- Index(es):
Relevant Pages
|
