Rights to join a computer to workstation
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)
Hi,
What are the MINIMAL required permissions/rights in order for a user to be
able to join a domain? The scenario is to create a user with minimal rights,
who can only join/add workstations to the domain.
I've created a domain user, removed him from all default groups and made him
member of "Domain Guests" group only.
Next I've added this user to the Domain Security policy "Add Workstations to
domain".
Now, this user also needs permissions/rights in the "Computers" container as
well as the other OUs, where he should be able to join/add workstation into.
Are there any docs describing the minimal required permissions to do so?
The domain is in Windows 2000 Native mode.
Until today this has worked fine - the error code I get from NETDOM now is
8557, which is:
"Your computer could not be joined to the domain. You have exceeded the
maximum number of computer accounts you are allowed to create in this
domain. Contact your system administrator to have this limit reset or
increased."
Afaik, this limit should not exist for users with the policy "Add
Workstations to domain".
Any ideas?
--
Theepan
Hi,
What are the MINIMAL required permissions/rights in order for a user to be
able to join a domain? The scenario is to create a user with minimal rights,
who can only join/add workstations to the domain.
I've created a domain user, removed him from all default groups and made him
member of "Domain Guests" group only.
Next I've added this user to the Domain Security policy "Add Workstations to
domain".
Now, this user also needs permissions/rights in the "Computers" container as
well as the other OUs, where he should be able to join/add workstation into.
Are there any docs describing the minimal required permissions to do so?
The domain is in Windows 2000 Native mode.
Until today this has worked fine - the error code I get from NETDOM now is
8557, which is:
"Your computer could not be joined to the domain. You have exceeded the
maximum number of computer accounts you are allowed to create in this
domain. Contact your system administrator to have this limit reset or
increased."
Afaik, this limit should not exist for users with the policy "Add
Workstations to domain".
Any ideas?
--
Theepan
More about : rights join computer workstation
Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)
In a Windows 2000 domain, the maximum number of machine accounts that any
authenticated user can join to a domain is 10.
This maximum-limit value can be changed in the Active Directory.
Please refer to following KB article for solution:
http://support.microsoft.com/kb/251335/EN-US/
"Theepan" wrote:
> Hi,
>
> What are the MINIMAL required permissions/rights in order for a user to be
> able to join a domain? The scenario is to create a user with minimal rights,
> who can only join/add workstations to the domain.
>
> I've created a domain user, removed him from all default groups and made him
> member of "Domain Guests" group only.
>
> Next I've added this user to the Domain Security policy "Add Workstations to
> domain".
>
> Now, this user also needs permissions/rights in the "Computers" container as
> well as the other OUs, where he should be able to join/add workstation into.
> Are there any docs describing the minimal required permissions to do so?
>
> The domain is in Windows 2000 Native mode.
>
> Until today this has worked fine - the error code I get from NETDOM now is
> 8557, which is:
>
> "Your computer could not be joined to the domain. You have exceeded the
> maximum number of computer accounts you are allowed to create in this
> domain. Contact your system administrator to have this limit reset or
> increased."
>
> Afaik, this limit should not exist for users with the policy "Add
> Workstations to domain".
>
> Any ideas?
>
> --
> Theepan
>
>
>
In a Windows 2000 domain, the maximum number of machine accounts that any
authenticated user can join to a domain is 10.
This maximum-limit value can be changed in the Active Directory.
Please refer to following KB article for solution:
http://support.microsoft.com/kb/251335/EN-US/
"Theepan" wrote:
> Hi,
>
> What are the MINIMAL required permissions/rights in order for a user to be
> able to join a domain? The scenario is to create a user with minimal rights,
> who can only join/add workstations to the domain.
>
> I've created a domain user, removed him from all default groups and made him
> member of "Domain Guests" group only.
>
> Next I've added this user to the Domain Security policy "Add Workstations to
> domain".
>
> Now, this user also needs permissions/rights in the "Computers" container as
> well as the other OUs, where he should be able to join/add workstation into.
> Are there any docs describing the minimal required permissions to do so?
>
> The domain is in Windows 2000 Native mode.
>
> Until today this has worked fine - the error code I get from NETDOM now is
> 8557, which is:
>
> "Your computer could not be joined to the domain. You have exceeded the
> maximum number of computer accounts you are allowed to create in this
> domain. Contact your system administrator to have this limit reset or
> increased."
>
> Afaik, this limit should not exist for users with the policy "Add
> Workstations to domain".
>
> Any ideas?
>
> --
> Theepan
>
>
>
Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)
Hi
i would like to ask if you knows what kind of permission the "normal" users
must have to REMOVE a workstation from domain.
I grant the permission "Add workstation to domain" for Install group of
users, but they can't remove a computer from domain when they need to
re-install any computer. That make a lot of calls from this users for us to
manual delete those accounts...
Thanks.
Eduardo S. Antunes
BRASIL
"ac" wrote:
> In a Windows 2000 domain, the maximum number of machine accounts that any
> authenticated user can join to a domain is 10.
> This maximum-limit value can be changed in the Active Directory.
>
> Please refer to following KB article for solution:
> http://support.microsoft.com/kb/251335/EN-US/
>
> "Theepan" wrote:
>
> > Hi,
> >
> > What are the MINIMAL required permissions/rights in order for a user to be
> > able to join a domain? The scenario is to create a user with minimal rights,
> > who can only join/add workstations to the domain.
> >
> > I've created a domain user, removed him from all default groups and made him
> > member of "Domain Guests" group only.
> >
> > Next I've added this user to the Domain Security policy "Add Workstations to
> > domain".
> >
> > Now, this user also needs permissions/rights in the "Computers" container as
> > well as the other OUs, where he should be able to join/add workstation into.
> > Are there any docs describing the minimal required permissions to do so?
> >
> > The domain is in Windows 2000 Native mode.
> >
> > Until today this has worked fine - the error code I get from NETDOM now is
> > 8557, which is:
> >
> > "Your computer could not be joined to the domain. You have exceeded the
> > maximum number of computer accounts you are allowed to create in this
> > domain. Contact your system administrator to have this limit reset or
> > increased."
> >
> > Afaik, this limit should not exist for users with the policy "Add
> > Workstations to domain".
> >
> > Any ideas?
> >
> > --
> > Theepan
> >
> >
> >
Hi
i would like to ask if you knows what kind of permission the "normal" users
must have to REMOVE a workstation from domain.
I grant the permission "Add workstation to domain" for Install group of
users, but they can't remove a computer from domain when they need to
re-install any computer. That make a lot of calls from this users for us to
manual delete those accounts...
Thanks.
Eduardo S. Antunes
BRASIL
"ac" wrote:
> In a Windows 2000 domain, the maximum number of machine accounts that any
> authenticated user can join to a domain is 10.
> This maximum-limit value can be changed in the Active Directory.
>
> Please refer to following KB article for solution:
> http://support.microsoft.com/kb/251335/EN-US/
>
> "Theepan" wrote:
>
> > Hi,
> >
> > What are the MINIMAL required permissions/rights in order for a user to be
> > able to join a domain? The scenario is to create a user with minimal rights,
> > who can only join/add workstations to the domain.
> >
> > I've created a domain user, removed him from all default groups and made him
> > member of "Domain Guests" group only.
> >
> > Next I've added this user to the Domain Security policy "Add Workstations to
> > domain".
> >
> > Now, this user also needs permissions/rights in the "Computers" container as
> > well as the other OUs, where he should be able to join/add workstation into.
> > Are there any docs describing the minimal required permissions to do so?
> >
> > The domain is in Windows 2000 Native mode.
> >
> > Until today this has worked fine - the error code I get from NETDOM now is
> > 8557, which is:
> >
> > "Your computer could not be joined to the domain. You have exceeded the
> > maximum number of computer accounts you are allowed to create in this
> > domain. Contact your system administrator to have this limit reset or
> > increased."
> >
> > Afaik, this limit should not exist for users with the policy "Add
> > Workstations to domain".
> >
> > Any ideas?
> >
> > --
> > Theepan
> >
> >
> >
Archived from groups: microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)
"Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
> Hi
> i would like to ask if you knows what kind of permission the "normal"
> users
> must have to REMOVE a workstation from domain.
>
> I grant the permission "Add workstation to domain" for Install group of
> users, but they can't remove a computer from domain when they need to
> re-install any computer. That make a lot of calls from this users for us
> to
> manual delete those accounts...
>
Hi Eduardo,
As far as I know they need to be local Admin and require the right to
Delete the Computer Object in AD.
The following guide might help you:
Best Practices for Delegating Active Directory Administration
http://www.microsoft.com/downloads/details.aspx?FamilyI...
Best Practices for Delegating Active Directory Administration Appendices
http://www.microsoft.com/downloads/details.aspx?FamilyI...
--
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
"Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
> Hi
> i would like to ask if you knows what kind of permission the "normal"
> users
> must have to REMOVE a workstation from domain.
>
> I grant the permission "Add workstation to domain" for Install group of
> users, but they can't remove a computer from domain when they need to
> re-install any computer. That make a lot of calls from this users for us
> to
> manual delete those accounts...
>
Hi Eduardo,
As far as I know they need to be local Admin and require the right to
Delete the Computer Object in AD.
The following guide might help you:
Best Practices for Delegating Active Directory Administration
http://www.microsoft.com/downloads/details.aspx?FamilyI...
Best Practices for Delegating Active Directory Administration Appendices
http://www.microsoft.com/downloads/details.aspx?FamilyI...
--
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)
Thanks Ulf
I grant permissions to Computer Objects to my group and now everything is ok.
Thank you.
"Ulf B. Simon-Weidner [MVP]" wrote:
> "Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
> wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
> > Hi
> > i would like to ask if you knows what kind of permission the "normal"
> > users
> > must have to REMOVE a workstation from domain.
> >
> > I grant the permission "Add workstation to domain" for Install group of
> > users, but they can't remove a computer from domain when they need to
> > re-install any computer. That make a lot of calls from this users for us
> > to
> > manual delete those accounts...
> >
>
> Hi Eduardo,
>
> As far as I know they need to be local Admin and require the right to
> Delete the Computer Object in AD.
>
> The following guide might help you:
>
> Best Practices for Delegating Active Directory Administration
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> Best Practices for Delegating Active Directory Administration Appendices
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
>
> --
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner
>
> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> Weblog: http://msmvps.org/UlfBSimonWeidner
> WebSite: http://www.windowsserverfaq.org
>
Thanks Ulf
I grant permissions to Computer Objects to my group and now everything is ok.
Thank you.
"Ulf B. Simon-Weidner [MVP]" wrote:
> "Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
> wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
> > Hi
> > i would like to ask if you knows what kind of permission the "normal"
> > users
> > must have to REMOVE a workstation from domain.
> >
> > I grant the permission "Add workstation to domain" for Install group of
> > users, but they can't remove a computer from domain when they need to
> > re-install any computer. That make a lot of calls from this users for us
> > to
> > manual delete those accounts...
> >
>
> Hi Eduardo,
>
> As far as I know they need to be local Admin and require the right to
> Delete the Computer Object in AD.
>
> The following guide might help you:
>
> Best Practices for Delegating Active Directory Administration
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> Best Practices for Delegating Active Directory Administration Appendices
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
>
> --
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner
>
> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> Weblog: http://msmvps.org/UlfBSimonWeidner
> WebSite: http://www.windowsserverfaq.org
>
Archived from groups: microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)
"Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
> Thanks Ulf
> I grant permissions to Computer Objects to my group and now everything is
> ok.
>
> Thank you.
>
You're welcome - glad you got it working as you wanted it.
--
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
"Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
> Thanks Ulf
> I grant permissions to Computer Objects to my group and now everything is
> ok.
>
> Thank you.
>
You're welcome - glad you got it working as you wanted it.
--
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
Related ressources:
- Forumjoin AD user to XP workstation Admin group
- ForumRestrict Who can a computer to the domain join Domain
- ForumHow to modify ???? policy after join to the domain that allows me to install pro
- ForumUnable to Join to a domain
- ForumNot able to join domain
- ForumJoin a PC to a specific OU?
- ForumJoin Windows 7 PC to 2 domains?
- ForumHigh-End personal Workstation Guidance
- ForumAuto- join domain while imaging with sysprep
- Forum2000 upgrade - auto join domain
- Forumdelegated rights only allow 10 changes
- ForumAdd NT 4 Workstation in a W2K Domain without PDC Emulator
- ForumWin 2K pro workstation joining domain, and losing all emai..
- ForumXP Users Access Rights to install on NT server
- ForumNehalem Comes to Xeon 5500 Series Server and Workstation Processors
- ForumSlow logon for new dell workstation
- ForumAccess workstation 's share drive in AD domain
- ForumParallel and com ports not appearing in device manager
- ForumProblem with deleted Computer Object
- ForumHow do I create computer accounts without setting up new p..
- More resources
!
