Join Machines To Domain

[zeveck]

How do I make it so that a specified group, say DomainFriends, can add/remove/replace machines on the domain?

The 'Add workstations to domain' privilege appears to allow the group to Add, but only NEW machines. When there is already an existing machine of the same NetBIOS name I get an 'Access Denied' from accounts with the privilege even though the Administrator can still add such a machine just fine.

Thoughts?

 

[wdoellefeld]

This is where the account operators group comes in handy. Or just delegate account permissions in addition to add WS to the domain.

FRCP

http://www.frcp.net

 

[zeveck]

But I don't want the users to be able to add/remove accounts...just add/remove/replace computers. Account Operators appears to offer too much; and I am not sure what I have to delegate to achieve my intended goal... =(

 

[Loki1973]

Give Full Control on the OU containing the computer accounts for the group. Only works if OU's for computers and user accounts are different of course.

 

[monsterjta]

Add these users to a security group and call it <whatever>. In GPMC, appoint delegation to whichever computer OU's you want this group to modify. With special priviliges, you can delegate this group to create and/or delete computer objects in specified computer OU's, or move computer objects to or from specified computer OU's.

Hope this helps.

 

[porkchopexpress]

http://www.microsoft.com/technet/pr...elp/7207aa3e-d95d-4176-a1ca-bc629f1ca698.mspx