delegated rights only allow 10 changes

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Chaps,

Is there a work around to allow more than 10 pc's to be added by a delegated
user in AD?

We have a satellite office with a local IT support technician, but he has
hit his 10 pc joining limit, is there a workaround?

TIA
2 answers Last reply
More about delegated rights changes
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    no matter found this....

    http://support.microsoft.com/default.aspx?scid=kb;en-us;251335

    "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
    news:OKLTvw4tFHA.3188@TK2MSFTNGP14.phx.gbl...
    > Chaps,
    >
    > Is there a work around to allow more than 10 pc's to be added by a
    delegated
    > user in AD?
    >
    > We have a satellite office with a local IT support technician, but he has
    > hit his 10 pc joining limit, is there a workaround?
    >
    > TIA
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "" wrote:
    > Chaps,
    >
    > Is there a work around to allow more than 10 pc's to be added
    > by a delegated
    > user in AD?
    >
    > We have a satellite office with a local IT support technician,
    > but he has
    > hit his 10 pc joining limit, is there a workaround?
    >
    > TIA

    The User Right "Add workstation to the domain" by default (configured
    in the Default Domain Controllers GPO) grants EVERY AUTHENTICATED USER
    (even non-admin users) in the domain to add/join workstations to the
    domain. It is best to
    remove "authenticated users" from that user right or set the quota to
    0

    For true delegation it is better to delegate the right to a group and
    defined that on an OU (not a container) to create computer accounts
    and to join computers as mentioned below.

    Using the delegation of control wizard you can delegate the creation
    of
    computer accounts to the domain. This does not mean the same
    user/group can
    also JOIN the computer to the domain. In the DELEGWIZ.INF file
    (%WINDIR%INF)
    look at template 6.....
    By default the "AppliesToClasses" is set to "domainDNS" (case
    sensitive and
    without quotes) With this you can only delegate computer account
    creation at
    domain level. Change that to "domainDNS,organizationalUnit,container"
    (case
    sensitive and without quotes) and yuo will be able to delegate at OU
    level

    If you delegate the creation of computer accounts to a group (e.g.
    GROUP-CREATE-COMPOBJ), the member of that group that creates the
    computer
    becomes the owner of the computer account and automatically receives
    the right
    to join a computer with that name to the domain. The other members of
    that
    group will not be able to join the computer to the domain. In this
    case only
    the user that created the computer account will be able to join the
    computer.
    Lets say you have another group called GROUP-JOIN-COMP that is allowed
    to join
    (not create computer accounts) to the domain, the user who creates the
    computer
    account has the possibility to designate which user or group gets the
    rights to
    join the computer to the domain with the option ("The following group
    or user
    can join this computer to a domain" and this is by default Domain
    Admins group)
    The group mentioned in that option will be able to join the computer
    to the
    domain. In my opinion that is a lot of work just to create a computer
    computer
    account and join it.

    It is however possible to pre-configure the option called "The
    following group
    or user can join this computer to a domain and this is by default
    Domain Admins
    group"

    Add to the DELEGWIZ.INF file (%WINDIR%INF) a NEW template you can use
    to
    delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the creation
    of
    computer accounts) The minimum rights are mentioned below!

    REPLACE THE X with a NUMBER!

    ;----------------------------------------------------------
    [templateX]
    AppliesToClasses = domainDNS,organizationalUnit,container

    Description = "Join a computer to the domain in an OU (computer
    account
    pre-created)"

    ObjectTypes = computer

    [template6.computer]
    ;Right to join computers to domain
    CONTROLRIGHT= "Reset Password","Validated write to DNS host
    name","Validated
    write to service principal name", "Account Restrictions"
    ;----------------------------------------------------------

    This way you can delegate the creation of computer accounts to group1
    and the
    joining of the computers to group2.

    It is also however possible you have a group of people who create
    computers
    accounts and also join them. To able so everyone in that group can
    create a
    computer accounts and join the computers to the domain independent who
    created
    the computer accounts replace TEMPLATE 6 with what is mentioned below
    or
    perform the delegate twice with the additional task created above! If
    you want
    to join a computer to the domain in a specific OU and the computer
    account has
    not been pre-created you cannot use the GUI at the computer. For this
    you must
    use the tool NETDOM so you can specify the OU the computer account
    must reside
    in! The latter only is only possible when you at least have the right
    to create
    a computer object in the designated OU. Joining will also be possible
    because
    you automatically become the owner of the computer account!

    ;----------------------------------------------------------
    [template6]
    AppliesToClasses = domainDNS,organizationalUnit,container

    Description = "Add and/or join a computer to the domain in an OU
    (computer)"

    ObjectTypes = SCOPE, computer

    [template6.SCOPE]
    ;Right to create computer objects
    computer=CC

    [template6.computer]
    ;Right to join computers to domain
    CONTROLRIGHT= "Reset Password","Validated write to DNS host
    name","Validated
    write to service principal name", "Account Restrictions"
    ;----------------------------------------------------------

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Active-Directory-delegated-rights-10-ftopict420262.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1404127
Ask a new question

Read More

Microsoft Active Directory Windows