Allow Domain User To Add Computer To Domain - Prajwal Desai

Home » Active Directory » Allow Domain User To Add Computer to Domain

Allow Domain User To Add Computer to Domain

Written By

Prajwal Desai

Last Updated

August 16, 2021

Posted In

• Active Directory

Allow Domain User To Add Computer to Domain In this post you will see how to allow domain user to add computer to domain. This is basically allowing a user to join the workstations to the domain. You might say that a domain user can join the computers to the domain so what’s wrong? Okay, here is the right information, by default any authenticated user has this right and can create up to 10 computer accounts in the domain. If the user tries adding the 11th computer to the domain he gets the error.

As per Microsoft users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The difference is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.

Allow Domain User To Add Computer to Domain

There are 2 ways to allow domain user to add or join computer to domain.

1) Assign rights to the user/group using the Default Domain Group policy.

2) Delegate rights to user using Active Directory Users and Computers.

Method 1 – Assign rights to the user/group using the Default Domain Group policy

To allow an user or group to add a computer to a domain you can perform the below steps.

Login to the domain controller and launch the Group Policy Management console. Right click the Default Domain Group policy and click Edit.

Navigate through Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Expand User Rights Assignment. On the right hand side double-click Add workstations to Domain policy.

Check the box Define these policy settings. Click Add User or Group and select the user or group. Click Apply and OK.

Method 2 – Delegate rights to user/group using Active Directory Users and Computers

Open the Active Directory Users and Computers snap-in. Right-click the container under which you want the computers to be added (In this example I am choosing the Computers container) and click on Delegate Control.

You will now see Delegation of Control Wizard. Click Next.

To add a user or group click Add. Once you are done click Next.

Tasks to Delegate – Click Create a custom task to delegate. Click Next.

Choose Only the following objects in the folder and check the box Computer Objects. Check the box Create selected objects in this folder. Click Next.

Permissions – Select General, select Create All Child Objects. Click Next.

Click Finish.

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Forums Telegram Contact Me

Post navigation

Previous PreviousInstalling Configuration Manager 2012 R2 CU4NextContinue Deploying SCCM 2012 R2 CU4 to Clients

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Comment *

Name *

Email *

Save my name, email, and website in this browser for the next time I comment.

Δ

30 Comments

1. Hello, How to view the current delegation on an object?

   Reply

2. I believe that option 1 should be applied to Default Domain Controllers Policy. Even if you open the description of the right it clearly states: This security setting is valid only on domain controllers. So modifying it on Default Domain Policy has no sense. Please correct me if wrong.

   Reply

3. Hello Desai, how would i do this in Powershell. Any help would be appriciated. thx

   Reply

4. Would these same delegate permissions work when reimaging an existing device that already resides within AD?

   For example: PC-01 is new and upon Domain Join a new Computer Account is created in the default ‘Computers’ container. PC-02 already exists and resides in an OU called ‘Staff PCs’.

   If I applied these delegate permissions to the ‘Staff PCs’ OU, would this be sufficient to override the existing Computer Account in the ‘Staff PCs’ OU?

   Thanks in advance and keep up the great work!

   Reply

   1. I have the same question.Did you got this working?

      Reply

   2. wondering about this as well

      Reply

5. Your post is very helpful Thank you so much.

   Reply

   1. Thanks for the comment.

      Reply

6. How to remove the delegate? Like we want to revoke the rights delegated to a domain user.

   Reply

   1. Just remove the delegated object from your OU 🙂

      Reply

7. no Use its not working, delegation of control, unable to manage user profile with alternate users…

   Reply

8. if my exiting user resign and need to add new user with resigned user rights and police so how can do this…

   Reply

   1. You can simply use any of the methods mentioned in the post. For example you can use delegate rights to user/group using Active Directory Users and Computers method and allow the new user the permission to add computer to domain.

      Reply

9. thank you Prajwal. It was helpful

   Reply

10. Excellent description – I followed option 2 and it worked well

    Reply

    1. That’s great

       Reply

11. Hi Prajwal I have one question ask to you. I was joined from windows 7 client to my DC(AD) after that I want to grant permission only Admin User from DC can logon on to computer client. in addition, I want to allow only user in AD that I added in Manage User Account in windows 7 client to logon that windows 7 client. How to configure this process? Thanks in Advance Before. Sidet

    Reply

12. Your Solution is always v. clear Thanks

    Reply

    1. Thank you Vaibhav.

       Reply

13. if we want to add more than 10 computers what should do?, Kindly provide SOP with SAP

    Reply

14. dear Prajwal, I have a doubt if a use both method we can add more than 10 computers? because i want apply this scenario to helpdesk ou and work grp, So kindly give solutions

    Reply

15. I have two questions regarding delegating rights:

    (1) Could you explain why the Create All Child Objects permission must be enabled besides the “Create selected objects in this folder” option?

    (2) What about a more real-life scenario where you have a tree of containers for computers:

    Workstations + Desktops -+ Win7 -+ Win10 + Laptops -+ Win7 -+ Win10

    Is it possible that you delegate a user control for the whole tree of containers (Workstations and all subcontainers in the above example)?

    Reply

16. How does the user go about making the changes? Do I need to install Active Directory on the client machine? I assume this is the answer, just want to be certain!

    Reply

17. Very clear, but what are the differences? which one is better in you opinion?

    Reply

    1. Method 2

       Reply

18. Very clear, but what are the differences? which one is better?

    Reply

19. Nice Article. Just learn how a local admin had the right to add a computer to our domain.

    Reply

    1. Glad to know it helped you.

       Reply

20. Perfect and very clear steps. Thanks Prajwal

    Reply

    1. Thank you Ramesh.

       Reply

• Facebook
• X
• YouTube
• LinkedIn
• Pinterest

Prajwal Desai

Prajwal Desai is a highly accomplished technology expert and an 11-time Dual Microsoft MVP (Most Valuable Professional), specializing in Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. As a renowned author, speaker, and community leader, he is widely recognized for sharing his in-depth expertise and insights through his blog, YouTube channel, conferences, webinars, and other platforms.

Recast Sponsored AD

Patch My PC Sponsored AD