Microsoft KB Archive/224676

{|
 * width="100%"|

Enabling Authenticated Users to Join Computers to a Domain with No Administrative Intervention

 * }

ID: Q224676

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional

-

SUMMARY
By default, only members of the Authenticated Users global group have the requisite authority to join computers to a domain.

MORE INFORMATION
To provide users the ability to join computers to the domain without administrative intervention, perform the following steps while you are logged on the desired domain with authenticated user credentials:


 * 1) Click Start, point to Settings, and then click Control Panel.
 * 2) Double-click Administrative Tools, and then double-click Active Directory Users and Computers.
 * 3) Right-click the default computers container for the domain, and then click Delegate Control to begin the Delegation of Control Wizard.
 * 4) Click Next.
 * 5) In the Active Directory folder, click Next to proceed with the currently selected folder.
 * 6) In the Group or User Selection dialog box, click Add click Authenticated Users, click OK, and then click Next.
 * 7) In the Predefined Delegations dialog box, click Custom Task, and then click Next.
 * 8) In the Active Directory Object Type dialog box, click Entire folder:, and then click Next.
 * 9) In the Permissions dialog box, click Show creation/deletion of subobject permission to provide the options you want in the Permissions to delegate: box. Scroll through the Permissions box and click the Create computer objects and Delete computer objects check boxes to select them, and then click Next.
 * 10) Click Finish.

Accomplishing This Goal Using Group Policy
Following the release of B3 of Windows 2000, it is now possible to provide users the ability to add their own computers to the domain by simply modifying the group policy object for the "Domain Controllers" organizational unit. Here are the steps involved in making this change in this manner.

 Start the Group Policy Editor MMC snap-in, with its context pointed at the Domain Controllers Organizational unit. This can be accomplished by right-clicking the Domain Controllers OU from within the Active Directory Users and Computers MMC snap-in, clicking Properties, clicking the Group Policy tab, clicking the Default Domain Controllers Policy policy object, and then clicking Edit.  Navigate to the following node of the group policy object: "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\User Right Assignment" Double-click on the Add workstations to domain node object to open a dialog box in which you can add domain users and groups as you see fit, to provide them the ability to create new workstations on the domain.

Remember that group policy must be reapplied to the domain controllers before users will be able to exercise this privilege.

Additional query words:

Keywords :

Version : WINDOWS:2000

Platform : WINDOWS

Issue type : kbhowto

Technology :