Announcement

Collapse
No announcement yet.

Absolute minimum rights to join domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Absolute minimum rights to join domain

    Hi everyone,

    Can anybody let me know what are the absolute minimum rights required to join a machine to a domain when the computer account already exists?

    Well my test domain was a bit messed up but in the end:

    Set default policy not to allow any group but domain admins to add workstations to the domain.

    Delegated the rights to my group on the proper OU: Change password, Write all properties, Reset password.

    That group can now rejoin the machine to the domain properly. However, I joined the machine with a new name, and it said it did join the domain..except the account never got created in the domain (the user has no rights to create computer objects).

    I'm just trying to find the most perfect, cleanest way to allow a Windows sysadmin to take a machine out of the domain and then back in without having any other rights.

    Thanks for your input.
    Last edited by gepeto; 20th October 2008, 17:28.
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

  • #2
    Re: Absolute minimum rights to join domain

    Authenticated Users can add up to 10 pc's to the domain.


    Default domain controllers policy >
    Computer Settings -> Windows Settings -> Security Settings -> Local Policies -> user Rights Assignment - Add workstation to Domain


    you can restrict them in this policy make it administrators or something.

    There is more information in the 'explain this setting' tab of the policy setting.

    I just seen the rest of your post, u must have been editing it when i posted this.
    Last edited by uk_network; 20th October 2008, 17:45.
    Please remember to award reputation points if you have received good advice.
    I do tend to think 'outside the box' so others may not always share the same views.

    MCITP -W7,
    MCSA+Messaging, CCENT, ICND2 slowly getting around to.

    Comment


    • #3
      Re: Absolute minimum rights to join domain

      I disabled that by giving only Domain admins that right.

      Right now my problem is that my main goal, that to allow members of a specific group to REJOIN a domain (existing account that had been disjoined for troubleshooting) works, however, when I try to join the machine with another name, the machine itself thinks it's ok, but the account never gets created.

      If it would just display access denied everything would be fine. I'm building a 2003 VM to test on as we speak, I can replicate the issue on my 2000 test server easily.

      Rename machine to new name
      Join domain "Welcome to domain!"
      Reboot..can't logon to domain as computer account doesn't exist.

      Anyways, after further testing it seems Write all properties and reset password are the minimum rights required to RE-join a domain for an existing computer.
      Last edited by gepeto; 20th October 2008, 18:26.
      VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

      Comment


      • #4
        Re: Absolute minimum rights to join domain

        I've managed to do this,

        I took authenticated users out of the policy

        Default domain controllers policy >
        Computer Settings -> Windows Settings -> Security Settings -> Local Policies -> user Rights Assignment - Add workstation to Domain

        created a new ou called add computers a group called add computer and a user called add1

        added this new group to the above policy.

        In ADUC at the domain level company.com i right clicked and chose delegate control.
        added the group add computer>create a custom task to delegate>only the following objects in the folder, clicked computer objects, checked
        create selected objectss in this folder, delete selected objects in this folder
        clicked next>
        chose property specific, and in the list chose read and write
        clicked next and finish.

        Tested it. Seemed ok.

        Dunno if that helped.
        Last edited by uk_network; 20th October 2008, 18:34.
        Please remember to award reputation points if you have received good advice.
        I do tend to think 'outside the box' so others may not always share the same views.

        MCITP -W7,
        MCSA+Messaging, CCENT, ICND2 slowly getting around to.

        Comment


        • #5
          Re: Absolute minimum rights to join domain

          I found my solution. I did not want to allow people to create computer objects as I've said, as that is not the minimum amount of rights needed to do what was needed for me..

          Thanks
          VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

          Comment


          • #6
            Re: Absolute minimum rights to join domain

            Post your findings....
            Please remember to award reputation points if you have received good advice.
            I do tend to think 'outside the box' so others may not always share the same views.

            MCITP -W7,
            MCSA+Messaging, CCENT, ICND2 slowly getting around to.

            Comment


            • #7
              Re: Absolute minimum rights to join domain

              Originally posted by gepeto View Post
              Anyways, after further testing it seems Write all properties and reset password are the minimum rights required to RE-join a domain for an existing computer.
              Of course it involves making sure the default domain controller policy prohibits authenticated users from adding computers. But that is all that there is to it.

              My previous weird situation where the creation didn't happen but the machine thought it did was due to me setting a policy in the default domain policy by mistake, and somehow Windows thought the account was getting created, but it wasn't.
              VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

              Comment


              • #8
                Re: Absolute minimum rights to join domain

                i've been caught out twice on this post by your previous edits.
                But good stuff
                Please remember to award reputation points if you have received good advice.
                I do tend to think 'outside the box' so others may not always share the same views.

                MCITP -W7,
                MCSA+Messaging, CCENT, ICND2 slowly getting around to.

                Comment


                • #9
                  Re: Absolute minimum rights to join domain

                  That's what I figured
                  VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                  Comment

                  Working...
                  X