Delegate IT helpdesk group join computer into domain permission

From AlphaBook

Jump to: navigation, search

10 computers allowance

By default, any domain user can add 10 computers into domain:
- Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Add workstations to domain (Default Domain Controllers Policy)
ms-DS-MachineAccountQuota
- Open ADSI Edit
- Connect to Default naming context
- Right click on DC=alphabook,DC=com,DC=cn
- From Attribute Editor, check the ms-DS-MachineAccountQuota, default value is 10

Delegate IT helpdesk permission

Create a custom task to delegate
Only the following objects in the folder
- Computer objects
Create selected objects in this folder and Delete selected objects in this folder
Permissions
- Reset Password
- Read and write Account Restrictions
- Validated write to DNS host name
- Validated write to service principal name

Reference

https://support.microsoft.com/en-us/help/932455/error-message-when-non-administrator-users-who-have-been-delegated-control-try-to-join-computers-to-a-windows-server-2003-based-or-a-windows-server-2008-based-domain-controller-access-is-denied

Retrieved from "http://49.232.164.96/index.php?title=Delegate_IT_helpdesk_group_join_computer_into_domain_permission&oldid=148"