none
joining a computer to domain by delegating to domain user

    Question

  • hi.

    we have a help dek users in our organization,we delegate them to reset password only,and remove them from account operators group.now we have a new problem that they can not join computer to domain (after they rich 10 computers limit).we dont want to add them to account operators(because of security).so,what should we do now for help desk users that they can only reset password and jonin a computer to the domain??our dc ihas windows 2003 server anc clients have windows xp

     

    thx

    Sunday, November 28, 2010 1:55 PM

Answers

  • To resolve the issue in which users cannot join a computer to a domain, follow these steps:
    1. Click Start, click Run, type dsa.msc, and then click OK.
    2. In the task pane, expand the domain node.
    3. Locate and right-click the OU that you want to modify, and then click Delegate Control.
    4. In the Delegation of Control Wizard, click Next.
    5. Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
    6. In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
    7. Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
    8. Click Next.
    9. In the Permissions list, click to select the following check boxes:
      • Reset Password
      • Read and write Account Restrictions
      • Validated write to DNS host name
      • Validated write to service principal name
    10. Click Next, and then click Finish.
    11. Close the "Active Directory Users and Computers" MMC snap-in

     

    Hope this will resolve your issue....

    For further query please revert..

    Wednesday, December 15, 2010 12:02 PM
  • To decide who has the right to add computers to domains, you can delegate this responsibility to an individual or group in your organization by adding them to the Add workstations to domain Group Policy.

    Please refer to this Microsoft article.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration


    we added 2 help desk to this group policy,but they cant join a computer to domin,i mentioned that those users are not in any built in group such as account operator.we want that help desk users only can join a computer to domain from the workstation,not from domain controller without any limitation in number of computers .

    Monday, November 29, 2010 1:09 PM

All replies

  • To decide who has the right to add computers to domains, you can delegate this responsibility to an individual or group in your organization by adding them to the Add workstations to domain Group Policy.

    Please refer to this Microsoft article.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    • Proposed as answer by St Josephs Tuesday, January 19, 2016 2:34 PM
    Sunday, November 28, 2010 9:45 PM
  • we added 2 help desk to this group policy,but they cant join a computer to domin,i mentioned that those users are not in any built in group such as account operator.we want that help desk users only can join a computer to domain from the workstation,not from domain controller without any limitation in number of computers .

     

    Monday, November 29, 2010 5:58 AM
  • To decide who has the right to add computers to domains, you can delegate this responsibility to an individual or group in your organization by adding them to the Add workstations to domain Group Policy.

    Please refer to this Microsoft article.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration


    we added 2 help desk to this group policy,but they cant join a computer to domin,i mentioned that those users are not in any built in group such as account operator.we want that help desk users only can join a computer to domain from the workstation,not from domain controller without any limitation in number of computers .

    Monday, November 29, 2010 1:09 PM
  • To resolve the issue in which users cannot join a computer to a domain, follow these steps:
    1. Click Start, click Run, type dsa.msc, and then click OK.
    2. In the task pane, expand the domain node.
    3. Locate and right-click the OU that you want to modify, and then click Delegate Control.
    4. In the Delegation of Control Wizard, click Next.
    5. Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
    6. In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
    7. Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
    8. Click Next.
    9. In the Permissions list, click to select the following check boxes:
      • Reset Password
      • Read and write Account Restrictions
      • Validated write to DNS host name
      • Validated write to service principal name
    10. Click Next, and then click Finish.
    11. Close the "Active Directory Users and Computers" MMC snap-in

     

    Hope this will resolve your issue....

    For further query please revert..

    Wednesday, December 15, 2010 12:02 PM
  • Hi Amit,

    Thank you so much for posting this Answer.

    If u don't mind can you please tell me, If i only select Computer Object and than check mark on Create selected objects in this folder and Delete selected objects in this folder.

    is it ok? ( what problem i will face if i don't give the below permission )

    In the Permissions list, click to select the following check boxes:

    Reset Password
    Read and write Account Restrictions
    Validated write to DNS host name
    Validated write to service principal name

    Means why i require to give this additional permission.

    Waiting for your reply.


    Thanks & Regards,
    Param
    www.paramgupta.blogspot.com

    Saturday, April 21, 2012 11:35 AM