How do I delegate the ability to join computers to a domain to groups other than Domain Admins? (NETIQKB52693)

  • Document ID:7752693
  • Creation Date:02-Feb-2007
  • Modified Date:19-Jun-2007
    • Micro Focus Products:
      Directory and Resource Administrator

Resolution

goal
How do I delegate the ability to join computers to a domain to groups other than Domain Admins?

goal
Can users or groups other than Domain Admins join a computer to a domain?

fact
Directory and Resource Administrator 7.x

fix

Any group or user can potentially join a new computer account to a domain, as long as you specify the group or user in the Create Computer Wizard.  If you would like to create a special group to perform this function, follow the instructions below.

To create a new group:

  1. Open the Delegation and Configuration Console.
  2. Expand Account and Resource Management > All My Managed Objects.
  3. Expand the domain in which you want to create the group.
  4. Browse to the Organizational Unit (OU) in which you want to create the group.
  5. Right-click the OU and select New and Group.
  6. At the Welcome screen, click Next.
  7. Type in a name for the group.
  8. Leave the group scope as Security and group type as Global.
  9. Click Next and then click Finish.
  10. Select the new group and click the Members tab in the details pane.
  11. Click Add Members.
  12. Type in the names of each user account you want to add to the group, clicking Find Now and then Add after each.
  13. Once all user accounts are added to the group, click OK.

To create the computer:

  1. Open the Account and Resource Management Console.
  2. Expand All My Managed Objects.
  3. Expand the domain in which you want to create the new Computer object.
  4. Browse to the OU in which you want to create the Computer object.
  5. Right-click the OU and select New and Computer.
  6. At the Welcome screen, click Next.
  7. Type in a name for the Computer.
  8. Under The Following User or Group Can Join This Computer to a Domain, click Change.
  9. Type the name of the newly created group and click Find Now.
  10. Select the new group.
  11. Click OK and then click Next.
  12. Click Next again and then click Finish.


note

There is also a script available on NetIQ's Knowledge Depot Web site that will automatically set the user or group that can join the computer to the domain in Windows 2000. For example, Desktop Support group users are usually tasked with joining the computer to the domain, and when this trigger is implemented the Assistant Admin creating the computer account does not need to know the name of the Desktop Support group.

The script is called ComputerJoin.vbs, and it can be downloaded from the Trigger & Policy Scripts section of the Knowledge Depot, located at: https://www.netiq.com/support/dra/extended/knowledgedepot/default.asp.



note

Example scripts that are provided on NetIQ's Knowledge Depot or referenced in Knowledge Base articles are offered on an "as is" basis, and are not part of the supported product set. Customers should be aware that issues that may arise from their use are not supported by NetIQ Technical Support.



Additional Information

Formerly known as NETIQKB52693