Joining a computer to a domain

What is the exact permission needed to join a computer to a domain? I mean, if there is already a computer object in AD for PC1, and you want to join PC1 to the domain, which exact permission(s) will the user need to do so?
I know that the NewObject - Computer wizard over-delegates, so I want to know the exact permission(s). I am btw thinking of joining a computer to a domain, and not creating a computer object in an OU, or is the permission used to perform both tasks the same (create computer objects)?
I know that the NewObject - Computer wizard over-delegates, so I want to know the exact permission(s). I am btw thinking of joining a computer to a domain, and not creating a computer object in an OU, or is the permission used to perform both tasks the same (create computer objects)?
Current certs: MCP (210) MCSA (270, 290, 291 and 680) MCTS (680, 640)
Comments
You can change the group to whatever group you wish, by creating the account in AD first, and in the box that says" User or Group" change this to the group (or user account) that you want to be able to add computers to the domain.
There is, its a local security policy under either user assignments or security options (I forget which atm, its very late). Basically by default its set to administrators and backup operators (in 2008R2 I think). Certain security hardening standards dictate you change that to only allow admins to join to a domain.
A little side rant - use of the word "permissions" has always been a gray area for me. In the Microsoft world, depending on who you talk to there is a distinction between the terms "permissions," "privileges," and "rights." Permissions refer to specific actions you can take against named objects like files, folders, registry keys, etc. such as Read, Write, Modify, Read & execute, Write extended attributes, Take ownership, etc..
Privileges refer to actions a security context (that is, an account) can perform within an operating system environment based on the security token which is assigned by the Local Security Authority during session logon. Examples are creating users, viewing the Security event log, shutting down the system, modifying the security policy, etc.. Security tokens are generated and attached to the account's root initial process after that account is successfully validated via the SAM or AD (or cached credentials). It's post-authentication.
Rights ("user logon rights") are functions one can perform before logon and before the security token is assigned. The list is smaller here like "Log on as a service," "Allow log on locally," etc..
At least, this is how I learned it from reading one of Mark Minasi's books as well as Windows Internals. Now that said, most people use these terms interchangeably. Even many Microsoft articles do this. It doesn't help that there's a section in the policy labeled "User Rights Assignment."
Getting back to your original question, I'd guess it's SeMachineAccountPrivilege that you're looking for, but you can also check out these lists as well:
http://technet.microsoft.com/en-us/library/dd277311.aspx
http://technet.microsoft.com/en-us/library/dd349804(v=ws.10).aspx
I asked the same question here Joining a computer to a domain - Petri.co.il forums by Daniel Petri and I think the answer he provided (have not tried it though) might be what I was looking for, but it still does not provide the exact permission(s). Obviously I think Create Computer objects will do the trick too, but that would give you the right to add as well, and not JUST join.
About the msDSAccountQuota, doesn't it prevail of the user right "add workstations to domain", because by default the Authenticated Users group has the "add workstasions to domain" user right, but if you set the msDSAccountQuota to 0, the user right will have no effect. That's atleast how I remember having read it.
If the default computer container has been redirected with the redircmp command, and the new OU has the proper permissions, this will also prevent standard authenticated users from joining computers to the domain.
Current Certs: CCENT | MCTS | Network+
Currently Working On: Security+