|
Posted by Steven L Umbach on July 11, 2005, 7:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
By default a regular user can join a computer to the domain up to ten times.
You can permanently give a user the ability to join computers to the domain
by giving a users group create computer objects permission on the domain or
computers container. This is called delegation of authority. You can right
click the domain or a container and select delegate control to start the
delegation wizard which has preset categories or you can create custom ones.
The delegation wizard simply changes AD permissions on the object. You also
for instance could select a container, right click
properties/security/advanced and then add or edit permissions. Then select
apply onto computer object and look for the needed permissions in the object
or properties tab. I believe read/write description is in the properties
tab. --- Steve
> Windows 2003 AD.
>
> All computer names are similar and are incremented by number 0001-9999.
>
> I found a script on technet from the scripting guys. Script works fine
> for
> me (I'm a domain admin), but fails for other users. The second part to
> the
> article was to give the users permissions to change the Description
> attribute. I don't necessarily want to give them the keys to the kingdom
> to
> accomplish this. Is this the group policy that allows the user to join
> the
> domain? can anyone shed some light?
>
> here's a link to the article:
>
http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0429.mspx
>
>
| 
XML site map