We have a team that rolls out new workstations and laptops as necessary. To more closely adhere to the concept of least privilege, which calls for giving each user only the minimum privileges needed to do his or her job, we removed this team from the Domain Admin group but gave it the Add workstations to domain right. Everything worked fine for the first several workstations, but suddenly Windows started rejecting attempts to add more computers. What's going on?
The Add workstations to domain right gives a user the authority to add 10 new computers to the domain. After 10 workstations have been added, further attempts are denied, as you've experienced. To give your workstation team unlimited authority to add computers to the domain, grant the team the Create computer object permission on the organizational units (OUs) in which the team needs to add new computers.
Even though the Add workstations to domain right shows up on Windows Server 2003 and Windows 2000 Server member servers and Windows XP computers, it takes effect only on domain controllers (DCs). Also, default settings assign this right to Authenticated Users, which means that anyone in your forest or in a trusted forest can create as many as 10 computer accounts, so you might want to disable this right.
—Randy Franklin Smith
Only one thing to keep in mind When using the container to give permission to add accounts instead of user permissions, the Owner of the new computer account is the creator not the Domain Admins group. Not everyone may want this.
-- CNK
Register
