Access Denied: Controlling the Right to Add New Computers to a Domain

I know two ways that an administrator can control the right to add new computers to a domain. The first method involves granting the Add workstations to domain user right. The second method involves granting the Create computer objects permission on organizational units (OUs). How do these two methods differ? Are there other methods I should know about?

The Add workstations to domain user right lets a user add as many as 10 computers to a domain. By default, Windows 2000 grants the Add workstations to domain right to Authenticated Users. Therefore, in a default-configured domain, everyone in the forest can add as many as 10 computers to each domain in the forest. I recommend deleting this right assignment in the Default Domain Controllers Policy Group Policy Object (GPO) to keep unwanted computers from your domains.

The Create computer objects permission on an OU lets you add any number of new computers to that OU. By default, only Administrators and Account Operators have this permission on OUs.

Using one of these two rights, you have three ways to add a computer to a domain. First, here's one way you can use the Add workstations to domain right. Toward the end of a Windows installation, Windows asks you whether the computer should be a member of a domain. If you choose to add the system to a domain, the program prompts you for the computer's name and the name of the domain in which to create its account. Win2K creates the new computer account in the AD Computers container, which you can view in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.

Second, you can use the "net computer /add" command to create the computer account. This method also creates the account in the AD Computers container in the Active Directory Users and Computers snap-in in the domain of the computer on which you execute the command. Later, when you install Windows on another computer and Windows asks you for a computer name and domain, you can claim the newly created computer account.

Third, you can simply right-click an OU in the Active Directory Users and Computers snap-in and select NewComputer. This method requires that you have the Create computer objects permission on that OU.