Adding PC to domain without Admin rights

[evoroel]

Hello

I'm trying to get some burden of our system administrator.

We have a strict policy about local and domain administrator passwords. No-one except de admin and backup admin has access to these passwords.

We have four locations and one IT department. To prevent that our administrators have to travel frequently to the other offices, I'm trying to set up accounts on both the domain and local workstation so normal users can add a new workstation to the domain.

I have set up a normal domain user on each domain. Using the Domain Controller Security Policy I have given this user access to the "Add workstations to the domain" policy.

When I try to add an NT4.0 workstation to the domain (local login as administrator) I can add the workstation to the domain.
When I try to add an XPPRO workstation to the domain (local login as administrator) I get ACCESS DENIED.

Can anyone give me some info about this?

Step 2:

Let's say I can create a domain user for adding the workstations to the domain. You still have to be logged on localy as administrator to change the network settings (both for NT4.0 as XPPRO).

Is there a way I can create a local normal user to change the network settings (so be able to add a workstation to the domain)?

Sorry for the long story but I wanted to give all the info!
Greetz
Roel

 

[Swimpy]

Do you have Domain Administrative rights?

Swimpy

 

[evoroel]

I have domain admin rights. But the users who are adding the workstations don't.

UPDATE: The first problem with the XPPRO workstations is solved. I was trying with a PC that allready was added to the domain and I forgot to restart when testing.

Problem 2 remains: A local user without administrator rights that is able to change the network settings.

 

[hybrud]

so far as I know the only way a local user can add a pc to the domain or change network settings is by making him a domain administrator

 

[evoroel]

Yes, I have come to that conclusion as well.

I have created a workaround:

- give the administrator an easy password.
- in RunOnce place a script that resets te password.
- the srcript deletes itself so the unencrypted password is removed from the pc.

The user has to logon as administrator once (he can only logon once) and add the computer to the domain. After restart the password is reset and he can't login anymore as administrator.

The first problem is that at first logon the user has all the rights to mess things up.

The second problem is that the file can be undeleted.

Anyone a better idea?

 

[mawilson]

Why do the users need to be able to add machines to the domain and change network settings? Can you do that and then send the machine to them ready to put in place and go?

 

[evoroel]

We have a very basic network setup. Four different domains in four locations. There are frequently traveling people between the locations, so transporting the workstations is not a problem.

I myself have plans on reorganising the network, start using VPN and only one domain. But I'm a junior sysadmin and still need more experience before atempting to do a complete reorganisation. I'm reading Sybex's book about AD (70-217) as you read this!

For now, we need a quick (and and not so dirty) solution.

 

[ksukenny]

if the workstations are xp why not use remote desktop to connect to the systems and do the admin work yourself?

 

[evoroel]

Workstations are both NT and XP. They are behind a firewall and use DHCP.

I have no idea how to use Remote Desktop in this configuration. I'll take a look at it!

Tnx for the response!
Roel