add user to join domain not domain admin

Posted by: tora130 on: April 3, 2009

• In: w2k3, AD, DNS, DHCP, Virtualization
• Comment!

http://www.tomshardware.com/forum/220933-46-restrict-computer-domain-join-domain

Have you tried setting the “Add workstations to domain” policy?

———————policy description from help
file —————————
Add workstations to domain
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Description
Determines which groups or users can add workstations to a domain.

This policy is valid only on domain controllers. By default, any
authenticated user has this right and can create up to 10 computer accounts
in the domain.

Adding a computer account to the domain allows the computer to participate
in Active Directory-based networking. For example, adding a workstation to a
domain enables that workstation to recognize accounts and groups that exist
in Active Directory.

Default: Authenticated Users.

Note

a.. Users who have the Create Computer Objects permission on the Active
Directory computers container can also create computer accounts in the
domain. The distinction is that users with permissions on the container are
not restricted to the creation of only 10 computer accounts. In addition,
computer accounts that are created by means of “Add workstations to domain”
have Domain Administrators as the owner of the computer account, while
computer accounts that are created by means of permissions on the computers
container have the creator as the owner of the computer account. If a user
has permissions on the container and also has the “Add workstations to
domain” user right, the computer is added, based on the computer container
permissions rather than on the user right.
For more information, see:

Security Configuration Manager Tools in help.