Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

delegating adding workstation to domain

Status
Not open for further replies.
jmajorz24

jmajorz24

IS-IT--Management
Aug 28, 2003
25
0
0
US
If someone could point me in the right direction on how to accomplish the following goal I would greatly appreciate it. I am wanting to delegate the right to add/delete computer objects in the default computer container in Active Directory. This group of users should only be able to add/remove PC's to and from the domain and no other rights. How can I do this? Any help is greatly appreciated. I know that regular users can add 10 workstations to the domain by default so please refrain from that being your answer

Thanks





Inappropriate
 
Sort by date Sort by votes
Depending how fancy your Active Directory integration is, you'll want to create a group (either universal, domain, or local) that has the rights to create and the right to remove computer objects. We are dealing with the same situation, but just granting those users these two security permissions (advanced permissions in the properties of the group) will not fully work with our scripting processes for user addition/removal...I've had to assign the users to the Account Operators group to be able to add/remove without problems....and of course I do not want to give them account privledges, but we have yet to come across a better solution. (they are all IT folk in our organization and it's a long story but it wasn't horrible for us to do that given our mixed Novell/NT environment) Your AD environment may differ (ours is somewhat complex due to synching with NDS) so giving those two specific rights should suffice.

The exact security permissions are:

(Under Properties of the Computer container, security, advanced, effective permissions)

Select the group you've created and assign these permissions:

Create Computer Objects
Delete Computer Objects

I'm not completly sure if you need these permissions, but you may need these: (testing would confirm this, which I haven't done yet)

List Contents
Read Permissions
Read All Properties

Hope this helps...do some testing on this, but if in doubt, the Account Operators group has full permission over this, so use that as a baseline. Let me know your results...I am kind of curious the bare minimum you need to do this.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
99
DTGMI
DTGMI
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
197
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
80
ADB100
ADB100
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
83
technome
technome
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
111
microsGuy16
microsGuy16

Part and Inventory Search

Sponsor

Back
Top