Creating a domain account only used to join computers to a domain

I'm trying to create an account that only purpose is to be used when an admin
wants to join a computer to the domain. All of our admins have their own
account that is part of the domain admins group. I would like to remove the
domain admin power from them while still letting them add computers to the
domain.

I thought I could create an account that when you go through the motions of
adding a computer and get to the point where it asks for your credentials you
would use the user/pass of the account that is only allowed to join
computers. This account would have absolutely no other privileges except for
domain joining.

After initial testing I gave up on the account. I couldnt restrict its use
to what I wanted.

If anyone has any idea's I would appreciate them, or let me know this is a
lost cause.

Thanks!

A regular user account can add 10 computers to the domain by default. To
increase that number see:
http://support.microsoft.com/kb/243327/en-us

hth
DDS

"Kevin" <Kevin@discussions.microsoft.com> wrote in message
news:5CE54894-A10B-491F-8BDA-60DC313A9F6B@microsoft.com...
> I'm trying to create an account that only purpose is to be used when an
> admin
> wants to join a computer to the domain. All of our admins have their own
> account that is part of the domain admins group. I would like to remove
> the
> domain admin power from them while still letting them add computers to the
> domain.
>
> I thought I could create an account that when you go through the motions
> of
> adding a computer and get to the point where it asks for your credentials
> you
> would use the user/pass of the account that is only allowed to join
> computers. This account would have absolutely no other privileges except
> for
> domain joining.
>
> After initial testing I gave up on the account. I couldnt restrict its
> use
> to what I wanted.
>
> If anyone has any idea's I would appreciate them, or let me know this is a
> lost cause.
>
> Thanks!

Here's a idea... I never tried that, but I think it can solve your problem:
create a user account in AD and delegate it control to the Computers OU.
Then use the 'netdom join' command to join the computer to the domain.
Check this article:
http://technet2.microsoft.com/Window....mspx?mfr=true

--
Ulisses Righi

"Kevin" <Kevin@discussions.microsoft.com> wrote in message
news:5CE54894-A10B-491F-8BDA-60DC313A9F6B@microsoft.com...
> I'm trying to create an account that only purpose is to be used when an
> admin
> wants to join a computer to the domain. All of our admins have their own
> account that is part of the domain admins group. I would like to remove
> the
> domain admin power from them while still letting them add computers to the
> domain.
>
> I thought I could create an account that when you go through the motions
> of
> adding a computer and get to the point where it asks for your credentials
> you
> would use the user/pass of the account that is only allowed to join
> computers. This account would have absolutely no other privileges except
> for
> domain joining.
>
> After initial testing I gave up on the account. I couldnt restrict its
> use
> to what I wanted.
>
> If anyone has any idea's I would appreciate them, or let me know this is a
> lost cause.
>
> Thanks!

Thank you for the reply!
I planned on turning the default 10 computers any user can join down to 0
and force them to use the credentials of another account that can only join
computers to the domain. Would each tech person need to learn how to use
Netdom to join computers?

"Ulisses Righi" wrote:

> Here's a idea... I never tried that, but I think it can solve your problem:
> create a user account in AD and delegate it control to the Computers OU.
> Then use the 'netdom join' command to join the computer to the domain.
> Check this article:
> http://technet2.microsoft.com/Window....mspx?mfr=true
>
> --
> Ulisses Righi
>
> "Kevin" <Kevin@discussions.microsoft.com> wrote in message
> news:5CE54894-A10B-491F-8BDA-60DC313A9F6B@microsoft.com...
> > I'm trying to create an account that only purpose is to be used when an
> > admin
> > wants to join a computer to the domain. All of our admins have their own
> > account that is part of the domain admins group. I would like to remove
> > the
> > domain admin power from them while still letting them add computers to the
> > domain.
> >
> > I thought I could create an account that when you go through the motions
> > of
> > adding a computer and get to the point where it asks for your credentials
> > you
> > would use the user/pass of the account that is only allowed to join
> > computers. This account would have absolutely no other privileges except
> > for
> > domain joining.
> >
> > After initial testing I gave up on the account. I couldnt restrict its
> > use
> > to what I wanted.
> >
> > If anyone has any idea's I would appreciate them, or let me know this is a
> > lost cause.
> >
> > Thanks!
>

Making the reg hack does not force them to add the computers to the domain
via netdom join. They can use the GUI if they want.

You are right, I think that there's going to be no problem joining computers
using the GUI.

--
Ulisses Righi
"Danny Sanders" <DSanders@NOSPAMciber.com> wrote in message
news:OWCNPfvSHHA.4028@TK2MSFTNGP04.phx.gbl...
> Making the reg hack does not force them to add the computers to the domain
> via netdom join. They can use the GUI if they want.
>
> hth
> DDS
> "Kevin" <Kevin@discussions.microsoft.com> wrote in message
> news:89E185A4-A5AC-4B33-AD64-636874B606DE@microsoft.com...
>> Thank you for the reply!
>> I planned on turning the default 10 computers any user can join down to 0
>> and force them to use the credentials of another account that can only
>> join
>> computers to the domain. Would each tech person need to learn how to use
>> Netdom to join computers?
>>
>> "Ulisses Righi" wrote:
>>
>>> Here's a idea... I never tried that, but I think it can solve your
>>> problem:
>>> create a user account in AD and delegate it control to the Computers OU.
>>> Then use the 'netdom join' command to join the computer to the domain.
>>> Check this article:
>>> http://technet2.microsoft.com/Window....mspx?mfr=true
>>>
>>> --
>>> Ulisses Righi
>>>

Also check out OUrganizeIT ... http://www.synergix.com. It does a bit more
than what you're looking for but will give you some ideas on organizing
computer objects in AD ( join, move, update description, link with user
object by updating managed by attribute etc ). Plus, you don't need to ask
admins or users to join or organize computer objects in AD.