In this blog post, I will show you two ways to allow domain user to add computer to domain. By default, Authenticated Users can join up to 10 computers anywhere in the domain (controlled by ms-DS-MachineAccountQuota). It’s a domain attribute that caps how many computers a non-admin can create via the quota based method. Setting it to 0 (recommended) blocks non-admins from joining a PC to domain.
There is a policy setting called Add workstations to Domain, which defines who can create 10 computer accounts in a domain. This setting is a part of Default Domain Controllers Policy. By default, Authenticated users are added to this policy.
Another recommended approach is to grant the Create Computer Objects permission on the OU where you want users to create computer accounts (i.e., join computers to the domain). With this method, users are not limited to creating only 10 computer accounts in that OU. If a user is granted both the Add workstations to domain right and the Create Computer Objects permission on the OU, Create Computer Objects takes precedence.
Contents
Method 1: Add workstations to Domain GPO Setting
As mentioned earlier, Authenticated users are already added to the policy setting Add workstations to Domain. You can add or remove users to Add workstations to Domain setting to allow or deny domain users from joining computers to domain.
- Login to a domain controller and Open Group Policy Management Console (gpmc.msc).
- Find Default Domain Controllers Policy under Group Policy Objects > right click and select Edit.
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Expand User Rights Assignment. On the right-hand side, double-click Add workstations to Domain.
- Here, you can see that the Authenticated Users group is added by default, which means any authenticated user can join computers to the domain. If you want to restrict this, remove Authenticated Users and explicitly add the specific user or AD security group that’s allowed to join computers to the domain.
Method 2: Delegate Join rights on a Target OU
The second method to allow domain users to join computers to the domain is to delegate the right to create computer accounts on a specific organizational unit (OU). When users have delegated rights to create computer accounts, the limit of 10 computer accounts does not apply.
Users can create and join any number of computers to the domain. This is a more targeted and recommended approach compared with Method 1. Let’s walk through the steps to delegate permissions to specific users or groups so they can join computers to the domain.
- Right-click on Computers OU and select Delegate Control.
- On Welcome to the Delegation of Control Wizard screen, click Next.
- Click Add on the Users or Groups screen, then add a user account or an Active Directory group that will have permissions to join computers to the domain. For demonstration purposes, I added a dedicated account named WSJoiner for domain joins. If multiple administrators or users need this capability, it’s best to create an AD security group and add that group here. Click Next.
- On Tasks to Delegate screen, select the radio button Create a custom task to delegate. Click Next.
- On Active Directory Object Type screen, select Only the following objects in the folder and select Computer objects. Then select the checkbox Create selected objects in this folder. Click Next.
- On Permissions screen, select Validated write to DNS host name and Validated write to service principal name. Click Next.
- On Completing the Delegation of Control Wizard. Click Finish.
That’s it! You’ve successfully delegated the rights for a user or group to join computers to the domain.
Conclusion
In this blog post, we have learned different ways to allow a domain user to join computers to domain. By default, this permission is already there for all authenticated users. However, it may not be the best practice. Therefore, Method 2 is the recommended approach, where you dedicate an account or group which has permissions to add computers to domain.
