Join Domain without a Domain account?

user01user01 Registered Users Posts: 3 ■□□□□□□□□□
According to the MS press 70-270 Training Kit book, Chapter 2 Lesson 1 review:

You do not need a user account to join a computer to a Domain. However, the computer must already have an account in the Domain.

So, I've been testing this.

In a Domain, using Active Directory Users and Computers, I create a computer object COMP1 in the Computers AD folder.

Then I logon to COMP1 as a local administrator and attempt to join it to the Domain. I get asked for the name and password of an account with permission to join the Domain. Providing the local admin name and password doesn't work.

So, is the Training Kit wrong? When I create the computer object in AD, must I do something further? In the ADUC New Object dialog, there is the possibility of choosing the user or group who can add this computer to the domain. Even picking the Everyone group doesn't work.

Has anyone else tested this?

Richard

Comments

  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    I havent read the book but looks like they meant you dont need a local user account (non admin) to join a computer to the domain. Just a domain account that has privileges to join machines to the domain.

    Or they could be talking about this.
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
  • user01user01 Registered Users Posts: 3 ■□□□□□□□□□
    Thanks for your reply Essendon.
    Essendon wrote: »
    looks like they meant you dont need a local user account (non admin) to join a computer to the domain. Just a domain account that has privileges to join machines to the domain.

    It's one of the 'choose all that apply' type questions.

    What information is required when joining a domain during the Windows XP Professional installation? Choose all that apply.
    (a)...
    (b) You must have a user account in the domain
    (c)...
    (d)....

    The answer section says that (b) is not a requirement.

    Maybe the requirement during installation is different from that for joining a domain after installation. I'll test that.
    Essendon wrote: »
    Or they could be talking about this.

    Thanks for the link but I don't think that feature is part of xp.

    On another matter, it seems this is a good place to discuss xp matters. I posted the same question at the same time on TechNet. Over the same period, the post here got 61 views, that on TechNet 43 but without any response. I was supposing that the TechNet stats would be higher.

    Regards
    Richard
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Essendon wrote: »
    I havent read the book but looks like they meant you dont need a local user account (non admin) to join a computer to the domain. Just a domain account that has privileges to join machines to the domain.

    I thought it was alluding to the fact that any domain user has the ability to add 10 computers to the domain. But I also haven't read the book.
    Decide what to be and go be it.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    This *MUST* be wrong. The idea that any person could join system to the domain w/o any credentials is insane. I am sure this will be found to be an error in the test prep material.
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    You definitely need an account to join any machine to a MS domain. Its best practice to precreate the account in the OU it should be in, then have someone else join it. You can also just join it to the domain, and have the machine be put into the computers OU by default.

    Either way, you have to have the correct permissions to join.
  • user01user01 Registered Users Posts: 3 ■□□□□□□□□□
    Thanks to all for their comments on this thread.
    user01 wrote: »
    Maybe the requirement during installation is different from that for joining a domain after installation. I'll test that.
    I've tested attempting to join a domain during installation, with a pre created computer object in AD, but without a domain account. This isn't possible either.

    I'll regard the assertion as an error in the Training Kit book, although it's not listed as such on the errara page:

    MCSA/MCSE Self-Paced Training Kit (Exam 70-270): Installing, Configuring, and Administering Microsoft® Windows® XP Professional Confirmed Errata | O'Reilly Media

    Regards
    Richard
  • 518518 Member Posts: 165 ■■■□□□□□□□
    This *MUST* be wrong. The idea that any person could join system to the domain w/o any credentials is insane. I am sure this will be found to be an error in the test prep material.

    ^ what he said.

    Essendon wrote: »
    I havent read the book but looks like they meant you dont need a local user account (non admin) to join a computer to the domain. Just a domain account that has privileges to join machines to the domain.

    Exactly my thought.

    A domain-admin or a group who has the privilege to add/remove computers to the domain is needed.

    We don't let any user add any computer to the domain. However, we created a group for each Department who has the privilege to add/remove systems [unlimited amount] to the domain. We also grant a one time privilege to a specific user to add a specific computer to the domain, useful for regional users.
  • XantchaXantcha Member Posts: 64 ■■□□□□□□□□
    You definitely need a domain user account and password to join the PC to the domain. What is not clear is if it needs to be an admin account / someone with the rights to join the pc to the domain or just a normal user (with domain user account).

    I have it somewhere in the back of my head that a normal user could join a PC to a domain and that he had the rights to join up to 10 of them but most of what I've read suggests that you need an admin account.
  • unnamedplayerunnamedplayer Member Posts: 74 ■■□□□□□□□□
    Xantcha wrote: »
    You definitely need a domain user account and password to join the PC to the domain. What is not clear is if it needs to be an admin account / someone with the rights to join the pc to the domain or just a normal user (with domain user account).

    I have it somewhere in the back of my head that a normal user could join a PC to a domain and that he had the rights to join up to 10 of them but most of what I've read suggests that you need an admin account.

    By default, authenticated users are allowed to add machines to the domain. So, any user can do this, but they have a 10 machine quota. This quota does not affect domain admins and if you specifically grant the rights to add the computer while prestaging the machine obviously.

    You have a couple of options to change this. One, change the ms-Ds-MachineAccountQuota from 10 to whatever you like. Change it to 0 to stop normal domain users from being able to add machines altogether. Two, you can change the Default Domain Controllers GPO. Under Security Settings > Local Policies > User Rights Assignments change the "Add Workstations to Domain" setting. As you see, it is set to Authenticated Users by default.
Sign In or Register to comment.