Hi, How do I grant a group rights to join computers to a domain without making them domain admins? Currently our client using windows XP, and Domain Using Windows Server 2003.

Hi! Not my area of expertice, but I think you could precreate the computer object in the AD and there choose user or group to be able to join the computer to the domain. /Leyan

Hi, I use the following script to apply permissions on an OU such that joining computers to the domain can be performed by a group other than Domain Admins. It is also worth noting that by default any user can join up to 10 computers to the domain. @ECHO OFF SETLOCAL :: Set target OU and security principal SET OU=OU=Temp,DC=acme,DC=com SET SP=ACME\DomainJoiners :: Grant permissions to Add and Delete computer objects dsacls %OU% /G %SP%:CC;computer; dsacls %OU% /G %SP%:DC;computer; :: Grant permissions to join computers to the domain dsacls %OU% /I:S /G %SP%:CALCGRSDDTRC;;computer dsacls %OU% /I:S /G %SP%:WP;description;computer dsacls %OU% /I:S /G %SP%:WP;sAMAccountName;computer dsacls %OU% /I:S /G %SP%:WP;displayName;computer dsacls %OU% /I:S /G %SP%:WP;userAccountControl;computer dsacls %OU% /I:S /G %SP%:WS;"Validated write to service principal name";computer dsacls %OU% /I:S /G %SP%:WS;"Validated write to DNS host name";computer ENDLOCAL Steve Griffiths

There are actually two ways to do this and it's important to understand the impact of both. First, Steven is right. By default authenticated users can join up to 10 computers to the domain. They get this ability from the following right: Add workstations to domain This is a security policy setting that only takes affect on domain controllers. Here is the explanation of this setting: "This security setting determines which groups or users can add workstations to a domain. This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain. Adding a computer account to the domain allows the computer to participate in Active Directory-based networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory. Default: Authenticated Users on domain controllers. Note: Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right." The important section of the description is the NOTE. It describes the other location where users can be granted rights to add computers to the domain. This is on either the domain, or the computers container. Simply right click either, select delegate control, and then walk through the wizard. On the page that lists the permissions you can grant, one should say something like "Add computers to the domain" (I don't remember the exact verbage). If you do it this way... "Users with permissions on the container are not restricted to the creation of only 10 computer accounts." and "computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right." So those are the two different settings. Finally, give this article a read: Error Message "Access Denied" When You Join a Computer to a Domain http://support.microsoft.com/kb/330095 You typically want to follow the steps listed here because if a computer account already exists and you still want this group of people to be able to join a computer to the domain with the same name, they will get Access Denied unless you follow the steps in this article. It's up to you if you want them to have this ability. I hope this helps!

HI, Yes, i know domain user can joint 10 computer to the domain. Okey, i will test your answer tomorow. Thanks Sean!G

Hi Sean, Thanks for your advice. It work!!G