Delegate Permissions to add more than 10 Computers to Domain

We all know that BY DEFAULT ……any Active Directory Domain have the setting “Add workstations to domain” user wright (in group policy) set to Authenticated Users in the Default Domain Controllers Policy only …..wright ? peace of cake 🙂
And that makes any any user in the domain able to join machines to the domain BUT with the hard limit of up to 10 machines (WHY? I don’t know ! ask Microsoft :))
But what if you want to give a specific user or group the wright to join any number of PCs to the domain – without giving this user Domain Admin permission – (and also rejoin old machines to the domain, which involves and need Reset Password permission on the Computers Container ) ….. then you must delegate to this user or group a specific security permissions as following steps:

1- Locate and right-click the OU that contains Computer Accounts, and then click Delegate Control.
2- In the Delegation of Control Wizard, click Next.
3- Click Add to add a specific user or a specific group to the selected users and groups list, and then click Next.
4- In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
5- Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
6- Click Next.
7- In the Permissions list, click to select the following check boxes:
a. Reset Password
b. Read and write Account Restrictions
c. Validated write to DNS host name
d. Validated write to service principal name
DON’T just add the group or user to the User Wright: “Add workstations to domain” it will not allow them to add more than 10 machines only 

and If you want to change this and prevent any user in domain to join any workstation to domain, you must remove “Authenticated Users” from Group Policy settings: “Add Workstations to Domain” in “Default Domain Controllers Policy”   and add only users or group that you want to allow. 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s