Sign in with
Sign up | Sign in
Your question

Rights to join a computer to workstation

Tags:
  • Domain
  • Workstations
  • Microsoft
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
March 31, 2005 4:07:22 PM

Archived from groups: microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

Hi,

What are the MINIMAL required permissions/rights in order for a user to be
able to join a domain? The scenario is to create a user with minimal rights,
who can only join/add workstations to the domain.

I've created a domain user, removed him from all default groups and made him
member of "Domain Guests" group only.

Next I've added this user to the Domain Security policy "Add Workstations to
domain".

Now, this user also needs permissions/rights in the "Computers" container as
well as the other OUs, where he should be able to join/add workstation into.
Are there any docs describing the minimal required permissions to do so?

The domain is in Windows 2000 Native mode.

Until today this has worked fine - the error code I get from NETDOM now is
8557, which is:

"Your computer could not be joined to the domain. You have exceeded the
maximum number of computer accounts you are allowed to create in this
domain. Contact your system administrator to have this limit reset or
increased."

Afaik, this limit should not exist for users with the policy "Add
Workstations to domain".

Any ideas?

--
Theepan

More about : rights join computer workstation

March 31, 2005 4:07:23 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

In a Windows 2000 domain, the maximum number of machine accounts that any
authenticated user can join to a domain is 10.
This maximum-limit value can be changed in the Active Directory.

Please refer to following KB article for solution:
http://support.microsoft.com/kb/251335/EN-US/

"Theepan" wrote:

> Hi,
>
> What are the MINIMAL required permissions/rights in order for a user to be
> able to join a domain? The scenario is to create a user with minimal rights,
> who can only join/add workstations to the domain.
>
> I've created a domain user, removed him from all default groups and made him
> member of "Domain Guests" group only.
>
> Next I've added this user to the Domain Security policy "Add Workstations to
> domain".
>
> Now, this user also needs permissions/rights in the "Computers" container as
> well as the other OUs, where he should be able to join/add workstation into.
> Are there any docs describing the minimal required permissions to do so?
>
> The domain is in Windows 2000 Native mode.
>
> Until today this has worked fine - the error code I get from NETDOM now is
> 8557, which is:
>
> "Your computer could not be joined to the domain. You have exceeded the
> maximum number of computer accounts you are allowed to create in this
> domain. Contact your system administrator to have this limit reset or
> increased."
>
> Afaik, this limit should not exist for users with the policy "Add
> Workstations to domain".
>
> Any ideas?
>
> --
> Theepan
>
>
>
Anonymous
March 31, 2005 10:43:02 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

Hi
i would like to ask if you knows what kind of permission the "normal" users
must have to REMOVE a workstation from domain.

I grant the permission "Add workstation to domain" for Install group of
users, but they can't remove a computer from domain when they need to
re-install any computer. That make a lot of calls from this users for us to
manual delete those accounts...

Thanks.
Eduardo S. Antunes
BRASIL



"ac" wrote:

> In a Windows 2000 domain, the maximum number of machine accounts that any
> authenticated user can join to a domain is 10.
> This maximum-limit value can be changed in the Active Directory.
>
> Please refer to following KB article for solution:
> http://support.microsoft.com/kb/251335/EN-US/
>
> "Theepan" wrote:
>
> > Hi,
> >
> > What are the MINIMAL required permissions/rights in order for a user to be
> > able to join a domain? The scenario is to create a user with minimal rights,
> > who can only join/add workstations to the domain.
> >
> > I've created a domain user, removed him from all default groups and made him
> > member of "Domain Guests" group only.
> >
> > Next I've added this user to the Domain Security policy "Add Workstations to
> > domain".
> >
> > Now, this user also needs permissions/rights in the "Computers" container as
> > well as the other OUs, where he should be able to join/add workstation into.
> > Are there any docs describing the minimal required permissions to do so?
> >
> > The domain is in Windows 2000 Native mode.
> >
> > Until today this has worked fine - the error code I get from NETDOM now is
> > 8557, which is:
> >
> > "Your computer could not be joined to the domain. You have exceeded the
> > maximum number of computer accounts you are allowed to create in this
> > domain. Contact your system administrator to have this limit reset or
> > increased."
> >
> > Afaik, this limit should not exist for users with the policy "Add
> > Workstations to domain".
> >
> > Any ideas?
> >
> > --
> > Theepan
> >
> >
> >
Related resources
Anonymous
April 1, 2005 9:09:10 AM

Archived from groups: microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

"Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
> Hi
> i would like to ask if you knows what kind of permission the "normal"
> users
> must have to REMOVE a workstation from domain.
>
> I grant the permission "Add workstation to domain" for Install group of
> users, but they can't remove a computer from domain when they need to
> re-install any computer. That make a lot of calls from this users for us
> to
> manual delete those accounts...
>

Hi Eduardo,

As far as I know they need to be local Admin and require the right to
Delete the Computer Object in AD.

The following guide might help you:

Best Practices for Delegating Active Directory Administration
http://www.microsoft.com/downloads/details.aspx?FamilyI...

Best Practices for Delegating Active Directory Administration Appendices
http://www.microsoft.com/downloads/details.aspx?FamilyI...


--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
Anonymous
April 1, 2005 9:51:02 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

Thanks Ulf
I grant permissions to Computer Objects to my group and now everything is ok.

Thank you.


"Ulf B. Simon-Weidner [MVP]" wrote:

> "Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
> wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
> > Hi
> > i would like to ask if you knows what kind of permission the "normal"
> > users
> > must have to REMOVE a workstation from domain.
> >
> > I grant the permission "Add workstation to domain" for Install group of
> > users, but they can't remove a computer from domain when they need to
> > re-install any computer. That make a lot of calls from this users for us
> > to
> > manual delete those accounts...
> >
>
> Hi Eduardo,
>
> As far as I know they need to be local Admin and require the right to
> Delete the Computer Object in AD.
>
> The following guide might help you:
>
> Best Practices for Delegating Active Directory Administration
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> Best Practices for Delegating Active Directory Administration Appendices
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
>
> --
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner
>
> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> Weblog: http://msmvps.org/UlfBSimonWeidner
> WebSite: http://www.windowsserverfaq.org
>
Anonymous
April 2, 2005 5:33:42 PM

Archived from groups: microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

"Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
> Thanks Ulf
> I grant permissions to Computer Objects to my group and now everything is
> ok.
>
> Thank you.
>

You're welcome - glad you got it working as you wanted it.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
!