Re: Give a user rights to add machine to domain, not 10 limit

From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 01/30/05 

Date: Sun, 30 Jan 2005 15:18:34 -0000

The option in user rights assignment called "Add workstations to the domain"
is somewhat misleading. In Windows NT 4, granting this right allowed users
to add an unlimited amount of machines to the domain.

In Windows 2000 and above, Microsoft changed the meaning. Since Active
Directory has different containers where computer accounts can reside,
Active Directory permissions are used to control who can add workstations on
a container by container basis. The old "add workstations to the domain"
right is still there, but its meaning has changed. It allows, by default,
all domain users to add up to 10 machines to the domain.

You can use the delegation of control wizard to allow creation of new
computer accounts for a specific container. You may also want to consider
allowing deletion of computer objects, so that computers can be re-added
after they've been wiped. Also, make sure you create a group and don't
delegate directly to a user. The delegation of control wizard is much
better at configuring delegation than letting you manage what's already been
delegated.

Regards

Oli

"Dave Niemeyer" <nospamdniemeye@hotmail.com> wrote in message
news:OFkpt4sBFHA.4072@tk2msftngp13.phx.gbl...
>I see 2 places where I can allow a user to be allowed to add machines to
>the domain of our win2k3 domain. I can give it to him in domain security
>settings and I was shown how in group policy. Problem is, the user is kept
>down to 10 machines max, and then he's given no rights to add How do I get
>around this limit of 10?
>
> Dave Niemeyer
>

Relevant Pages

  • Re: Give a user rights to add machine to domain, not 10 limit
    ... The option in user rights assignment called "Add workstations to the domain" ... Directory has different containers where computer accounts can reside, ... a container by container basis. ... You can use the delegation of control wizard to allow creation of new ...
    (microsoft.public.windows.server.security)
  • Re: Give a user rights to add machine to domain, not 10 limit
    ... The option in user rights assignment called "Add workstations to the domain" ... Directory has different containers where computer accounts can reside, ... a container by container basis. ... You can use the delegation of control wizard to allow creation of new ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restrict Who can a computer to the domain join Domain
    ... Have you tried setting the "Add workstations to domain" policy? ... Directory computers container can also create computer accounts in the ...
    (microsoft.public.win2000.group_policy)
  • Re: Deligating control
    ... this is possible through the Delegation of Control Wizard. ... If you delegate the creation of computer accounts to a group (e.g. ... To reset user passwords you need the "Reset Password" extended right on the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security question (lost OU delegated rights)
    ... George ... >> User and Computer accounts on AD. ... >> delegation is at the OU level and not the domain level. ... >> that whoever is a member of this group then their user properties page ...
    (microsoft.public.windows.server.security)
Loading