Allow - Create Computer Objects

Just wondering where one goes about assigning this permission, according to Transcender, it says to give the permission within "Active Directory Users and Computers" on the Computers object, yet I only get the ability to change the description. I know there is a GPO for adding users to the domain, in the security settings though. (And the fact that by default, any user can add upto 10 computers to the domain)

Any ideas?

Find more posts tagged with

Comments

sprkymrk

on the Computers object

When you create a new computer account in ADUC, the first screen in the wizard (New-->Computer) has a box "The following user or group can join this computer to a domain". Change it from the default Domain Admins to whomever you want.

dynamik

in ADUC, right-click on the domain (mycompany.com or whatever) and choose delegate control, click next, add users/groups, click next, and choose join a computer to the domain.

sprkymrk

dynamik wrote:

in ADUC, right-click on the domain (mycompany.com or whatever) and choose delegate control, click next, add users/groups, click next, and choose join a computer to the domain.

Hi dynamik:
I didn't see "join a computer to the domain" as an option, even under Advanced. Is it only available at the Top Level Domain Policy? I checked under a couple of OU's, but not the domain level. Also, it looks like his reference was specifically talking about the "Computer Object".

dynamik

Yeah, it's at the domain level. I'm assuming that's because it's more a domain-level task than an OU-level task. He mentioned the 10 computer limit that each user has as well as GPO, so I thought he was referring to a larger scale solution. I didn't see he specifically mentioned working with the computer object, so your answer is probably more appropriate for this situation.

[edit]
Oh nice, you even singled that part out in a quote. Sorry man - it was the end of an exhausting day at work

sprkymrk

dynamik wrote:

Yeah, it's at the domain level. I'm assuming that's because it's more a domain-level task than an OU-level task. He mentioned the 10 computer limit that each user has as well as GPO, so I thought he was referring to a larger scale solution. I didn't see he specifically mentioned working with the computer object, so your answer is probably more appropriate for this situation.

[edit]
Oh nice, you even singled that part out in a quote. Sorry man - it was the end of an exhausting day at work

Oh wait, I found it in the GPO policy under User Right Assignments - Join Computer to domain. I just couldn't see it in the Delegation Wizard. Thanks!