Enabling Authenticated Users to Join Computers to a Domain with No Administrative Intervention

ID: Q224676

The information in this article applies to:
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional

SUMMARY

By default, only members of the Domain Administrators global group have the requisite authority to join computers to a domain. This is because computer accounts are security principals, just like users, and can be used to gain authenticated access to a network.

In some environments, it may be necessary to allow all authenticated users to join their own computers to a domain, without the need of administrative intervention. In these environments, network management decides that the added cost of administering this activity outweighs the security risk.


MORE INFORMATION

To provide authenticated users the ability to join their own computers to the domain without administrative intervention, perform the following steps while you are logged on the desired domain with administrative credentials:

  1. Click Start, point to Settings, and then click Control Panel.


  2. Double-click Administrative Tools, and then double-click Active Directory Users and Computers.


  3. Right-click the default computers container for the domain, and then click Delegate Control to begin the Delegation of Control Wizard.


  4. Click Next.


  5. In the Active Directory folder, click Next to proceed with the currently selected folder.


  6. In the Group or User Selection dialog box, click Add click Authenticated Users, click OK, and then click Next.


  7. In the Predefined Delegations dialog box, click Custom Task, and then click Next.


  8. In the Active Directory Object Type dialog box, click Entire folder:, and then click Next.


  9. In the Permissions dialog box, click Show creation/deletion of subobject permission to provide the options you want in the Permissions to delegate: box. Scroll through the Permissions box and click the Create computer objects and Delete computer objects check boxes to select them, and then click Next.


  10. Click Finish.


Accomplishing This Goal Using Group Policy

Following the release of B3 of Windows 2000, it is now possible to provide users the ability to add their own computers to the domain by simply modifying the group policy object for the "Domain Controllers" organizational unit. Here are the steps involved in making this change in this manner.
  1. Start the Group Policy Editor MMC snap-in, with its context pointed at the Domain Controllers Organizational unit. This can be accomplished by right-clicking the Domain Controllers OU from within the Active Directory Users and Computers MMC snap-in, clicking Properties, clicking the Group Policy tab, clicking the Default Domain Controllers Policy policy object, and then clicking Edit.


  2. Navigate to the following node of the group policy object:
    Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\User Right Assignment


  3. Double-click on the Add workstations to domain node object to open a dialog box in which you can add domain users and groups as you see fit, to provide them the ability to create new workstations on the domain.


Remember that group policy must be reapplied to the domain controllers before users will be able to exercise this privilege.

Additional query words:

Keywords :
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.