Giving Users Right To Join Computers To Domain

Home Forums Microsoft Networking and Management Services Active Directory Giving Users Right To Join Computers To Domain

This topic contains 4 replies, has 4 voices, and was last updated by tehcamel tehcamel 8 years, 8 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Avatar
    Robert R.
    Participant
    #155517

    environment: Windows 2008 R2 active directory (Windows 2003 functional level domain)

    DOMAIN
    |
    |- Computers (default OU)
    |
    |_ OU 01
    |
    |- OU 02
    |
    |- OU 03
    |
    |- OU 04
    |
    |- OU 05
    | |-people
    | |-computers
    |
    |- OU 06

    We have employees who act as tech support for the individual departments.

    We do not want to make them Domain Administrators.

    (1) Is it possible to give a user rights to join and remove computers from the Windows domain for a specific OU (which corresponds to their department)?

    For example, given the structure above, can a user be given permission to take a workstation that is in the standalone WORKGROUP, and join it to the domain in OU 05computers ?

    (2) Conversely, can they remove the computer, and the computer account, from the domain?

    In the past, this task has always been done by Domain Administrators, so I’ve never given it any thought. But we’d like to delegate it to others.

    Thanks.

    tehcamel
    tehcamel
    Moderator
    #357847

    Re: Giving Users Right To Join Computers To Domain

    yes.

    you can use the delegation of authority wizard.

    side note, a standard user can actually join something like 5 computers to a domain without needing DA privileges..

    Avatar
    Robert R.
    Participant
    #353186

    Re: Giving Users Right To Join Computers To Domain

    “you can use the delegation of authority wizard.”

    Thanks. That was quick.

    Avatar
    cruachan
    Participant
    #330192

    Re: Giving Users Right To Join Computers To Domain

    10 machines by default for an authenticated user, the limit is actually based on the number of SIDs that a user is allowed to create. Using the delegation of authority wizard is the way to go to increase this limit without granting additional permissions as tehcamel said.

    Pretty sure you only need to be a Local Administrator on the PC to remove it from the domain, but you would need to be delegated further permissions to remove the computer account from Active Directory for certain.

    Avatar
    Ossian
    Moderator
    #184694

    Re: Giving Users Right To Join Computers To Domain

    Cruachan is correct — any local admin can remove from domain, but will leave a legacy computer account behind

    10 user limit can, IIRC, be increased through GPO

    Note you might be better to have pre-staged computer accounts so when a user adds a computer it goes into the correct OU and not the default computer container

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.