Announcement

Collapse
No announcement yet.

Usr account to join domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Usr account to join domain

    For automation purposes I want to create a user whos sole purpose is adding/removing computers to a domain but with minimal other options.

    What I've done so far is:
    Create a user, who's member of Domain Users
    Gave this user FullControl over ComputerObjects

    Now when I try to join a domain with that account, I get an access denied error.

    Which permissions am I missing.

  • #2
    Re: Usr account to join domain

    You are missing the "Create Computer objects" allow permission on the container where the computer accounts should be created (by default Computers container)
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Usr account to join domain

      Did you used this account to join some computers to the domain already?
      I believe the default count for the user w/o domain admin privileges is 10 computer accounts.
      Regards,
      John

      Comment


      • #4
        Re: Usr account to join domain

        Originally posted by John777 View Post
        Did you used this account to join some computers to the domain already?
        I believe the default count for the user w/o domain admin privileges is 10 computer accounts.
        Unless the account has explicit "Create Computer Objects" allow permission on the container/OU where computer accounts are created - in this case the quota does not apply.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Usr account to join domain

          Originally posted by guyt View Post
          You are missing the "Create Computer objects" allow permission on the container where the computer accounts should be created (by default Computers container)
          Have tried to do that but the settings won't hold. I added that user to the security tab of the Computers OU. Initialy if you look in the Advanced Sec Settings this user only has Read permissions. Through EDIT I set Allow for Create & Delete Computer Objects and click Ok to close. But the settings will not stay and it still says that the user only has Read permissions.

          Comment


          • #6
            Re: Usr account to join domain

            Hi,

            If you want to permit this user to create computer object under any OU then you need to give permission to create computer accounts in advanced security tab in the properties of the OU. Additionally you will not be able to join the computer from GUI as if you join the computer from GUI then it directly goes under Computers container not in OU. In this case you need to run the following command:

            netdom ADD machinename /Domain:"FQDN of domain" /UserD:username /PasswordD:* /OU:"OU=DN of the OU".

            Secondaly if you want to delegate the control to join the computers under computers container then you need to give the permission to create computer acconts in the advanced security page in the properties of computer container.
            Kapil Sharma
            ~~~~~~~~~~~~~
            Life is too short, Enjoy It.

            Comment

            Working...
            X