Rights to join a computer to workstation

Archived from groups: microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

Hi,

What are the MINIMAL required permissions/rights in order for a user to be
able to join a domain? The scenario is to create a user with minimal rights,
who can only join/add workstations to the domain.

I've created a domain user, removed him from all default groups and made him
member of "Domain Guests" group only.

Next I've added this user to the Domain Security policy "Add Workstations to
domain".

Now, this user also needs permissions/rights in the "Computers" container as
well as the other OUs, where he should be able to join/add workstation into.
Are there any docs describing the minimal required permissions to do so?

The domain is in Windows 2000 Native mode.

Until today this has worked fine - the error code I get from NETDOM now is
8557, which is:

"Your computer could not be joined to the domain. You have exceeded the
maximum number of computer accounts you are allowed to create in this
domain. Contact your system administrator to have this limit reset or
increased."

Afaik, this limit should not exist for users with the policy "Add
Workstations to domain".

Any ideas?

--
Theepan
5 answers Last reply
More about rights join computer workstation
  1. Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

    In a Windows 2000 domain, the maximum number of machine accounts that any
    authenticated user can join to a domain is 10.
    This maximum-limit value can be changed in the Active Directory.

    Please refer to following KB article for solution:
    http://support.microsoft.com/kb/251335/EN-US/

    "Theepan" wrote:

    > Hi,
    >
    > What are the MINIMAL required permissions/rights in order for a user to be
    > able to join a domain? The scenario is to create a user with minimal rights,
    > who can only join/add workstations to the domain.
    >
    > I've created a domain user, removed him from all default groups and made him
    > member of "Domain Guests" group only.
    >
    > Next I've added this user to the Domain Security policy "Add Workstations to
    > domain".
    >
    > Now, this user also needs permissions/rights in the "Computers" container as
    > well as the other OUs, where he should be able to join/add workstation into.
    > Are there any docs describing the minimal required permissions to do so?
    >
    > The domain is in Windows 2000 Native mode.
    >
    > Until today this has worked fine - the error code I get from NETDOM now is
    > 8557, which is:
    >
    > "Your computer could not be joined to the domain. You have exceeded the
    > maximum number of computer accounts you are allowed to create in this
    > domain. Contact your system administrator to have this limit reset or
    > increased."
    >
    > Afaik, this limit should not exist for users with the policy "Add
    > Workstations to domain".
    >
    > Any ideas?
    >
    > --
    > Theepan
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

    Hi
    i would like to ask if you knows what kind of permission the "normal" users
    must have to REMOVE a workstation from domain.

    I grant the permission "Add workstation to domain" for Install group of
    users, but they can't remove a computer from domain when they need to
    re-install any computer. That make a lot of calls from this users for us to
    manual delete those accounts...

    Thanks.
    Eduardo S. Antunes
    BRASIL


    "ac" wrote:

    > In a Windows 2000 domain, the maximum number of machine accounts that any
    > authenticated user can join to a domain is 10.
    > This maximum-limit value can be changed in the Active Directory.
    >
    > Please refer to following KB article for solution:
    > http://support.microsoft.com/kb/251335/EN-US/
    >
    > "Theepan" wrote:
    >
    > > Hi,
    > >
    > > What are the MINIMAL required permissions/rights in order for a user to be
    > > able to join a domain? The scenario is to create a user with minimal rights,
    > > who can only join/add workstations to the domain.
    > >
    > > I've created a domain user, removed him from all default groups and made him
    > > member of "Domain Guests" group only.
    > >
    > > Next I've added this user to the Domain Security policy "Add Workstations to
    > > domain".
    > >
    > > Now, this user also needs permissions/rights in the "Computers" container as
    > > well as the other OUs, where he should be able to join/add workstation into.
    > > Are there any docs describing the minimal required permissions to do so?
    > >
    > > The domain is in Windows 2000 Native mode.
    > >
    > > Until today this has worked fine - the error code I get from NETDOM now is
    > > 8557, which is:
    > >
    > > "Your computer could not be joined to the domain. You have exceeded the
    > > maximum number of computer accounts you are allowed to create in this
    > > domain. Contact your system administrator to have this limit reset or
    > > increased."
    > >
    > > Afaik, this limit should not exist for users with the policy "Add
    > > Workstations to domain".
    > >
    > > Any ideas?
    > >
    > > --
    > > Theepan
    > >
    > >
    > >
  3. Archived from groups: microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

    "Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
    wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
    > Hi
    > i would like to ask if you knows what kind of permission the "normal"
    > users
    > must have to REMOVE a workstation from domain.
    >
    > I grant the permission "Add workstation to domain" for Install group of
    > users, but they can't remove a computer from domain when they need to
    > re-install any computer. That make a lot of calls from this users for us
    > to
    > manual delete those accounts...
    >

    Hi Eduardo,

    As far as I know they need to be local Admin and require the right to
    Delete the Computer Object in AD.

    The following guide might help you:

    Best Practices for Delegating Active Directory Administration
    http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

    Best Practices for Delegating Active Directory Administration Appendices
    http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en


    --
    Gruesse - Sincerely,

    Ulf B. Simon-Weidner

    MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
    Weblog: http://msmvps.org/UlfBSimonWeidner
    WebSite: http://www.windowsserverfaq.org
  4. Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

    Thanks Ulf
    I grant permissions to Computer Objects to my group and now everything is ok.

    Thank you.


    "Ulf B. Simon-Weidner [MVP]" wrote:

    > "Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
    > wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
    > > Hi
    > > i would like to ask if you knows what kind of permission the "normal"
    > > users
    > > must have to REMOVE a workstation from domain.
    > >
    > > I grant the permission "Add workstation to domain" for Install group of
    > > users, but they can't remove a computer from domain when they need to
    > > re-install any computer. That make a lot of calls from this users for us
    > > to
    > > manual delete those accounts...
    > >
    >
    > Hi Eduardo,
    >
    > As far as I know they need to be local Admin and require the right to
    > Delete the Computer Object in AD.
    >
    > The following guide might help you:
    >
    > Best Practices for Delegating Active Directory Administration
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
    >
    > Best Practices for Delegating Active Directory Administration Appendices
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en
    >
    >
    > --
    > Gruesse - Sincerely,
    >
    > Ulf B. Simon-Weidner
    >
    > MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
    > Weblog: http://msmvps.org/UlfBSimonWeidner
    > WebSite: http://www.windowsserverfaq.org
    >
  5. Archived from groups: microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

    "Eduardo S. Antunes" <Eduardo S. Antunes@discussions.microsoft.com>
    wrote in message news:Eduardo S. Antunes@discussions.microsoft.com:
    > Thanks Ulf
    > I grant permissions to Computer Objects to my group and now everything is
    > ok.
    >
    > Thank you.
    >

    You're welcome - glad you got it working as you wanted it.

    --
    Gruesse - Sincerely,

    Ulf B. Simon-Weidner

    MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
    Weblog: http://msmvps.org/UlfBSimonWeidner
    WebSite: http://www.windowsserverfaq.org
Ask a new question

Read More

Domain Workstations Microsoft Active Directory Windows