locked
What is the minimum privilege to join client PC to AD Domain? RRS feed

  • Question

  • Hi,

    In the AD user groups, what is the group which has the minimum privilege and can join the client PC to AD domain?  Is it possible for a user that is not in the group of Administrator/Enterprise Admin but still can perform add WinXP to the AD domain?  Thanks for help.

    Jason

     

    Tuesday, July 6, 2010 8:27 AM

Answers

  • As others have pointed out, by default, any authenticated user can join computers to the domain (the number of computers added in this manner, is limited by the value of ms-DS-MachineAccountQuota attribute, set by default to 10 (more on this at http://support.microsoft.com/kb/243327)

    The recommended approach is to limit the user rights to add workstations to domain user right assignment (Default Domain Controllers GPO) by removing Authenticated Users and adding a designated group of support staff that will be handling computer provisioning tasks

    hth
    Marcin

    • Marked as answer by Karen Ji Friday, July 9, 2010 2:05 AM
    Tuesday, July 6, 2010 10:56 AM

All replies

  • Hello,

    add them to the "Add workstations to the domain" GPO setting under a GPO on the Domain controller OU, mostly the Default domain controllers policy is used, but i prefer to create an own one on that level and keep the default untouched:

    Computer configuration, windows settings, security settings, local policies, user rights assignment


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, July 6, 2010 8:38 AM
  • any user can add the pc in to domain up to 10 times. this is sort of seucirty risk in a company but so most people remove this limit. but i just want to say any regular user can add pc to domain up to 10 times.
    Dishan M. Francis, Senior Technology Consultant
    Tuesday, July 6, 2010 8:41 AM
  • Hi

     

    You need to user group policy delegation option to provide the permission for a user to add systems to domain.

    Please find the below link to achieve the same.

     

    http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

     

    Regards


    Rajesh J S
    Tuesday, July 6, 2010 8:42 AM
  • Is it possible for a user that is not in the group of Administrator/Enterprise Admin but still can perform add WinXP to the AD domain? 


    Yes.
    By default, a user can join up to ten workstations to an Active Directory domain. This limit does not apply to users and/or groups that have specific rights (as Meinolf points out in his answer) to join workstations to the domain.

    More information can be found in these Microsoft Knowledgebase Articles:

    Tuesday, July 6, 2010 8:43 AM
  • As others have pointed out, by default, any authenticated user can join computers to the domain (the number of computers added in this manner, is limited by the value of ms-DS-MachineAccountQuota attribute, set by default to 10 (more on this at http://support.microsoft.com/kb/243327)

    The recommended approach is to limit the user rights to add workstations to domain user right assignment (Default Domain Controllers GPO) by removing Authenticated Users and adding a designated group of support staff that will be handling computer provisioning tasks

    hth
    Marcin

    • Marked as answer by Karen Ji Friday, July 9, 2010 2:05 AM
    Tuesday, July 6, 2010 10:56 AM