Re: Need limited domain admin rights user account.

From: Roger Abell (
Date: 08/18/05

Date: Wed, 17 Aug 2005 17:48:45 -0700

Sorry Mike, I was being brain-dead in saying there was a group for
adding computers to domain, when I meant that there is a group policy
setting for that, in the computer tree, local policy / user rights section
named Add workstations to domain and into which you may add the
groups whose members will be allow to do this.

I believe that there was something else going on to cause the group
change you see and are attributing to an action of the delegation wiz.
Now, I am not sure what, but it would be first I have heard of that
wiz altering groups rather than ACLs.

Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Mike Bailey" <> wrote in message
> This is what I did though - I ran the delegation of control wizzard and
> only selected "Reset user passwords and force password change" and "Join
> a computer to the domain".  When I looked at the security properties of
> the group this was just performed on, the Domain Users group and been
> You said that there is a group for allowing an account to add computers
> the domain without using the Domain Admin - what is that then?
> I have made soem screen shots of the selections I made inthe delegation
> wizard and of the resulting security settings if you would like to see
> them.  They are in a Word doc.
> Thanks,
> Mike
> Roger Abell wrote:
> > The delegation of control wizard does not add group memberships
> > to accounts or (by nesting) groups.  It only modifies the ACLs on
> > AD objects in order to effect grants to the group (or, bad form, the
> > account) to which it is delegating.
> >
> > Yes, there is both a group for allowing an account to add computers
> > to the domain, and this can also be done with the delegation of
> > control wizard.  Granting Domain Admin is not needed.
> >
> -- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4)
> MCDBA "Mike Bailey" <> wrote in message
> news:eS44uPmoFHA.3256@tk2msftngp13.phx.gbl...
>  >> I thought I had found a solution to what I wanted by running the
>  >> Delegate Control Wizard.  I was able to to select the Group I wanted
>  >> use and then  gave it the rights to manage user passwords and to add
>  >> computers to the Domain.  But, when I went back and looked at the
>  >> rights assigned, it added Account Operators I assumed for the password
>  >> management, and then Domain Admins I assume to join computers to the
>  >> domain.  That put me right back to where I was trying to get away from
>  >> which was not making the user a Domain Admin.
>  >>
>  >> Is there a way to give a Group or User the rights to join a computer
>  >> the domain without making them a Domain Admin?
>  >>
>  >> Mike
>  >>
>  >>
>  >> Roger Abell wrote:
>  >
>  >>> > Part of what I was trying to say was to first, figure out what it
> that
>  >>> > you do want the custom group to be able to do.
>  >>> > I guess you do in fact want these accounts to be able to do
> everything
>  >>> > except for "can't take ownership of folders, can't change security
> settings
>  >>> > on folders, can't change Administrator passwords"
>  >>> >
>  >>> > I was thinking that you would have a shorter, and precise list of
> what
>  >>> > the account should be able to do, in which case one can work
>  >>> > toward filling those needs with grants and delegations.
>  >>> >
>  >>> > Given what you have stated, I do not see a way to do that.
>  >>> > The first two of the three things that should not be possible I can
>  >>> > see how to take away from Administrators and instead grant only
>  >>> > to some new group SpecialAdmins that should keep the capabilities.
>  >>> > The second would be extremely labor filled to do.
>  >>> > The last however, not changing pwds of admins (but being able to
>  >>> > change pwd of other accounts) is not obtainable in local machines
>  >>> > when working backwards from Administrators.
>  >>> >
>  >>> > Anyway, it is vitually certain that restricting Administrators will
>  >>> > result in some of those admins finding the ways to get around or
>  >>> > remove the restrictions.
>  >>> > You need to go the other direction and list all that you do want
>  >>> > the people to be able to do.