Delegate Permissions to add more than 10 Computers to Domain

We all know that BY DEFAULT ……any Active Directory Domain have the setting “Add workstations to domain” user wright (in group policy) set to Authenticated Users in the Default Domain Controllers Policy only …..wright ? peace of cake 🙂
And that makes any any user in the domain able to join machines to the domain BUT with the hard limit of up to 10 machines (WHY? I don’t know ! ask Microsoft :))
But what if you want to give a specific user or group the wright to join any number of PCs to the domain – without giving this user Domain Admin permission – (and also rejoin old machines to the domain, which involves and need Reset Password permission on the Computers Container ) ….. then you must delegate to this user or group a specific security permissions as following steps:

 
1- Locate and right-click the OU that contains Computer Accounts, and then click Delegate Control.
2- In the Delegation of Control Wizard, click Next.
3- Click Add to add a specific user or a specific group to the selected users and groups list, and then click Next.
4- In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
5- Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
6- Click Next.
7- In the Permissions list, click to select the following check boxes:
a. Reset Password
b. Read and write Account Restrictions
c. Validated write to DNS host name
d. Validated write to service principal name
DON’T just add the group or user to the User Wright: “Add workstations to domain” it will not allow them to add more than 10 machines only 

and If you want to change this and prevent any user in domain to join any workstation to domain, you must remove “Authenticated Users” from Group Policy settings: “Add Workstations to Domain” in “Default Domain Controllers Policy”   and add only users or group that you want to allow. 🙂

Free AD Tools that made my day

I will show you today three free tools from SolarWinds that can make great Maintenance Tasks on Active Directory:

1- Delete obsolete user accounts:

with this you can get a report of all inactive User Accounts (based on last logon Time attribute of the Object in AD) after choosing inactive period to check ….for example all accounts that didn’t log into the domain from 30 days or 90 days ……and you can Delete them directly from your AD or export them in a CSV file where you can use PowerShell to Delete or Disable them as you like. 

2- Delete obsolete computer accounts

with this you can get a report of all inactive Computer Accounts (based on last logon Time attribute of the Object in AD) after choosing inactive period to check ….for example all Computers that didn’t log into the domain from 30 days or 90 days ……and you can Delete them directly from your AD or export them in a CSV file where you can use PowerShell to Delete or Disable them  or move them to specific OU for Obsolete Objects as you like. 

3- Import User Accounts:

with this you can bulk create User Accounts based on a list in a CSV file, and also you can choose to create a Mailboxs for them or not.

 

 Although we can do these tasks with PowerShell, it is easier to do it by these tools if you are not familiar with PowerShell

you can download them from this link:

http://www.solarwinds.com/products/freetools/ad_admin_tools.aspx