Allow designated user to join new PC's to network only

Apologies if this is not the correct group.

I would like to know how I can designate a specific user to join new PC's to
a W2K3/XP network without bestowing Admin rights. I have been playing around
with delegation in OU's but cant seem to make it work. Also if I wanted to
delegate a user to be able to create new accounts only from a specific PC
on the network,can this be done?

Many thanks

Hi,

There is a policy where you can set which users or better groups can add
computers to domain. You can to change this policy on Default Domain
Controller Policy under "Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment\" Here look for policy called
"Add workstations to domain" and double click on it. Add group (or user)
that you would like to grant this permission.

Add workstations to domain
http://www.microsoft.com/technet/pro...29f1ca698.mspx

I can't think of a reasonable way that would limit user to only be able to
join computer from specific computer...

Note: by default any domain user can add 10 computers to domain.

--
Mike
Microsoft MVP - Windows Security

"Schrodingers Cat" <(E-Mail Removed)> wrote in message
news:rYLff.5619$(E-Mail Removed)...
> Apologies if this is not the correct group.
>
> I would like to know how I can designate a specific user to join new PC's
> to a W2K3/XP network without bestowing Admin rights. I have been playing
> around with delegation in OU's but cant seem to make it work. Also if I
> wanted to delegate a user to be able to create new accounts only from a
> specific PC on the network,can this be done?
>
> Many thanks
>
>
>