Delegate domain user permission to join domain

I have a person who i must delegate him to join domain permission .I do :
Right click abc.com , delegate control ...,next ,add user peter@abc.com
,next ,checked "Join a computer to the domain" ,next ,finnish .But Peter
cannot join another computer to domain .
Pls ,tell me WHY ?
How can I delegate him join another computer to domain ???
Thank so much for reading !!!

by default authenticated users (domain users) can only add 10 machines to
the domain. see
http://blogs.technet.com/jhoward/arc...18/403817.aspx for
instructions on how to change.

"Misoft" <horse2k4_4@yahoo.cm> wrote in message
news:u5Qp546RFHA.2788@TK2MSFTNGP09.phx.gbl...
>I have a person who i must delegate him to join domain permission .I do :
> Right click abc.com , delegate control ...,next ,add user peter@abc.com
> ,next ,checked "Join a computer to the domain" ,next ,finnish .But Peter
> cannot join another computer to domain .
> Pls ,tell me WHY ?
> How can I delegate him join another computer to domain ???
> Thank so much for reading !!!
>
>

I do http://blogs.technet.com/jhoward/arc...18/403817.aspx . But
when my user join computer to domain it report "Access Deny"
WHY ?
Thanks so much for reading

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:e2#kQY7RFHA.1476@TK2MSFTNGP09.phx.gbl...
> by default authenticated users (domain users) can only add 10 machines to
> the domain. see
> http://blogs.technet.com/jhoward/arc...18/403817.aspx for
> instructions on how to change.
>
> "Misoft" <horse2k4_4@yahoo.cm> wrote in message
> news:u5Qp546RFHA.2788@TK2MSFTNGP09.phx.gbl...
> >I have a person who i must delegate him to join domain permission .I do :
> > Right click abc.com , delegate control ...,next ,add user
peter@abc.com
> > ,next ,checked "Join a computer to the domain" ,next ,finnish .But Peter
> > cannot join another computer to domain .
> > Pls ,tell me WHY ?
> > How can I delegate him join another computer to domain ???
> > Thank so much for reading !!!
> >
> >
>
>

Lets go thru the steps.

1) Delegated the right to create a computer account in a specific OU

2) User creates the computer account in the OU *AND* specifies which
account/group may join the computer to the domain. (Watch this one as it
defaults to Domain Admins and tends to be what generates the Access Denied
later.)

3) User goes to machine in question and joins it to the domain within 15
minutes


"Misoft" <horse2k4_4@yahoo.cm> wrote in message
news:uy$BKp9RFHA.3444@tk2msftngp13.phx.gbl...
>I do http://blogs.technet.com/jhoward/arc...18/403817.aspx . But
> when my user join computer to domain it report "Access Deny"
> WHY ?
> Thanks so much for reading
>
> "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> news:e2#kQY7RFHA.1476@TK2MSFTNGP09.phx.gbl...
>> by default authenticated users (domain users) can only add 10 machines to
>> the domain. see
>> http://blogs.technet.com/jhoward/arc...18/403817.aspx for
>> instructions on how to change.
>>
>> "Misoft" <horse2k4_4@yahoo.cm> wrote in message
>> news:u5Qp546RFHA.2788@TK2MSFTNGP09.phx.gbl...
>> >I have a person who i must delegate him to join domain permission .I do
>> >:
>> > Right click abc.com , delegate control ...,next ,add user
> peter@abc.com
>> > ,next ,checked "Join a computer to the domain" ,next ,finnish .But
>> > Peter
>> > cannot join another computer to domain .
>> > Pls ,tell me WHY ?
>> > How can I delegate him join another computer to domain ???
>> > Thank so much for reading !!!
>> >
>> >
>>
>>
>
>

Wouldn't it be easier to just delegate the permissions on the computers
container?

And then, grant delete as well and write in another OU so that a move can be
performed?

Maybe not, I would assume that pre-creating computer accounts would be a
real chore ;-)

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

maybe for some... maybe not for others. really depends on how the site
operates.

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:Osix57LSFHA.3052@TK2MSFTNGP09.phx.gbl...
> Wouldn't it be easier to just delegate the permissions on the computers
> container?
>
> And then, grant delete as well and write in another OU so that a move can
> be
> performed?
>
> Maybe not, I would assume that pre-creating computer accounts would be a
> real chore ;-)
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
>

I guess.

I just wouldn't give the people who join the machines to the domain any
access to AD --they'd just be able to add machines. Somebody else could
move those computers ;-)

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net