Yes the two actions are different. Look at the following article. The article mentions the ms-DS-MAchineAccountQuota and not the giving “Add Workstations to Domain” right but either method should work. I wouldn’t suggest adding to the ms-DS-MAchineAccoutnQuota though… I am assuming, by the way, that the end users are actually joining the systems to the domain and the admin creating the computer account in AD are different people (<InnerVoice> never assume, never assume…</InnerVoice>)
Q251335
From: Mayet, Yusuf Y
[mailto:[EMAIL PROTECTED]
So correct me if I am wrong but what you are saying is that even though I have given them the right over the OU to add computer objects I would still have to go to the Domain Policy and specify the groups that can add workstations to the domain?
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]
Hmmm, what error? When the computer joins the domain?... I wonder if it is a permissions issue on the "join domain" part. The user actually joining from the computer need to have that right this can be done through GP. The right is given by default with the msDsMachineAccountQuota. Every user, by default, can add 10 computers to the domain if this has been turned off or the 10 limit has been reached you need to give the rights our for individuals to 'Join Computers to Domain'...
Kevin
From: Mayet, Yusuf Y
[mailto:[EMAIL PROTECTED]
Well seeing this discussion has started I would like to throw a curve ball.
In my environment I have chosen the route to train the junior lads into pre-creating the computer account into the relative OU.
I have delegated the following permission over "Computer Objects" to "Add and Remove computer objects"
The problem I am experiencing is that if the computer account already exists in the OU the error received is "access Denied"
Thanks in advance Yusuf
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]
You don't need to give them account operator rights. You give them 'specific' delegated rights. There could be some complex solutions that involve automating the process of looking through the computers container and moving computer account to the appropriate container (that is if you know the appropriate container via a name designation or something). This can be automated and scheduled but if you are too understaffed I doubt you will be able to find the time to develop this kind of solution. To have full functionality to address some of the complexities of AD management easily you will probably want to evaluate third part administrative tools. (<plug>Oh, yeah, my company has one.</plug>)
Kevin Sullivan Aelita Software www.aelita.com
From: Chris Flesher
[mailto:[EMAIL PROTECTED]
I saw that out on Technet. That's great as long as there is a person/group to handle that. We are understaffed and are looking for the OU admins to take care of this without giving them Account Operator rights.
Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
__________________________________________________________________________________________________________________________________ For information about the Standard Bank group visit our web site <www.standardbank.co.za> __________________________________________________________________________________________________________________________________ For information about the Standard Bank group visit our web site <www.standardbank.co.za> |
Title: Message
- [ActiveDir] Adding machines to OU dire... Chris Flesher
- RE: [ActiveDir] Adding machines t... Rakes, Brandon A. NMIMC Contractor
- RE: [ActiveDir] Adding machin... Chris Flesher
- RE: [ActiveDir] Adding machines t... Sullivan, Kevin
- RE: [ActiveDir] Adding machines t... Sullivan, Kevin
- RE: [ActiveDir] Adding machines t... Mayet, Yusuf Y
- RE: [ActiveDir] Adding machin... Rick Kingslan
- RE: [ActiveDir] Adding machines t... Sullivan, Kevin
- RE: [ActiveDir] Adding machines t... Mayet, Yusuf Y
- RE: [ActiveDir] Adding machines t... Free, Bob
- RE: [ActiveDir] Adding machines t... Sullivan, Kevin
- RE: [ActiveDir] Adding machines t... Coleman, Hunter
- RE: [ActiveDir] Adding machines t... Sullivan, Kevin
- RE: [ActiveDir] Adding machines t... Wright, T. MR NSSB
- RE: [ActiveDir] Adding machines t... Ayers, Diane
- RE: [ActiveDir] Adding machines t... deji
- RE: [ActiveDir] Adding machines t... GRILLENMEIER,GUIDO (HP-Germany,ex1)