Announcement

Collapse
No announcement yet.

Giving Users Right To Join Computers To Domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Giving Users Right To Join Computers To Domain

    environment: Windows 2008 R2 active directory (Windows 2003 functional level domain)


    DOMAIN
    |
    |- Computers (default OU)
    |
    |_ OU 01
    |
    |- OU 02
    |
    |- OU 03
    |
    |- OU 04
    |
    |- OU 05
    | |-people
    | |-computers
    |
    |- OU 06


    We have employees who act as tech support for the individual departments.

    We do not want to make them Domain Administrators.

    (1) Is it possible to give a user rights to join and remove computers from the Windows domain for a specific OU (which corresponds to their department)?

    For example, given the structure above, can a user be given permission to take a workstation that is in the standalone WORKGROUP, and join it to the domain in OU 05\computers ?

    (2) Conversely, can they remove the computer, and the computer account, from the domain?


    In the past, this task has always been done by Domain Administrators, so I've never given it any thought. But we'd like to delegate it to others.

    Thanks.
    Last edited by Robert R.; 18th July 2011, 20:58.

  • #2
    Re: Giving Users Right To Join Computers To Domain

    yes.

    you can use the delegation of authority wizard.

    side note, a standard user can actually join something like 5 computers to a domain without needing DA privileges..
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Giving Users Right To Join Computers To Domain

      "you can use the delegation of authority wizard."

      Thanks. That was quick.

      Comment


      • #4
        Re: Giving Users Right To Join Computers To Domain

        10 machines by default for an authenticated user, the limit is actually based on the number of SIDs that a user is allowed to create. Using the delegation of authority wizard is the way to go to increase this limit without granting additional permissions as tehcamel said.

        Pretty sure you only need to be a Local Administrator on the PC to remove it from the domain, but you would need to be delegated further permissions to remove the computer account from Active Directory for certain.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: Giving Users Right To Join Computers To Domain

          Cruachan is correct -- any local admin can remove from domain, but will leave a legacy computer account behind

          10 user limit can, IIRC, be increased through GPO

          Note you might be better to have pre-staged computer accounts so when a user adds a computer it goes into the correct OU and not the default computer container
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X