By default, Domain Users can only join computers to the domain 10 times however it’s sometimes useful for certain users to be able to exceed that limit – for example, helpdesk staff who might not be Domain Admins.
This can be achieved by delegating control in Active Directory or using Group Policy.
Active Directory
- Open Active Directory Users and Computers, right click your domain name then select Delegate Control (you can also select a specific OU if you prefer):
- The Delegation of Control Wizard will start, click next:
- Add the user or group and click next:
- Select Create a custom task to delegate and click next:
- Select Only the following objects in the folder then tick Computer objects in the list. Also tick Create selected objects in this folder and click next:
- Tick General and Creation/deletion of specific child objects then tick Create All Child Objects in the list. (General should already be ticket – if not, tick it). Click next:
- To finish the wizard, click Finish:
Group Policy
- Open Group Policy Management and edit the Default Domain Policy:
- Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment and select Add workstations to domain:
- Tick Define these policy settings, add the user or group and click OK:
Leave a Reply