Good morning people, I have a doubt, there is a way to allow a user to add machines to a domain without restrictions?! I would like to have a user, not a domain admin or power user, that can add machines to a domain (functional level 2003) in Windows Server 2008. I ask this because we have a lot of machines in our network, and is very usually reinstall them... So, this task is maded by common users (not domain admins) and we would like these users can finish the process (reinstall and add the machine to the domain). Best regards, jneves10

Hello, The only way I know of to accomplish what you want is to create the computer account in the domain and assign the specific user the privileges to add the computer to the domain during that process. This also ensures the account is in the proper OU instead of the Computers OU. During the computer account creation you can assign who can add the computer to the domain. Of course, the user will need to logon locally in order to add the computer to the domain. MagikD

There is any native way in Windows Server 2008 to allow this?! I mean, some default group in active directory...

Hi jneves10 , Thanks for posting here. Have you tried to using permission delegating ? Here is the workaround: 1. Right click at your domain in Active Directory Users and Computer MMC snap-in 2. Choose delegate control 3. Follow the wizard and choose "Join a computer to the domain" for the user or group that you want to delegate control to. And by default , one account only allow join 10 objects to domain, You can change it with following steps: 1. Run ADSI Edit. 2. Expand out the Domain node, right click on DC=<Your Domain Name>,DC=<Domain Name suffix> and select properties. 3. Find an attribute named "ms-DS-MachineAccountQuota". 4. Modify the value or clear the value to remove the limit entirely. And here is an old thread which discuss similar requirement for you reference: http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/8aa21820-e22a-4395-a1e9-f40ed705be7a Thanks. Tiger Li Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Another method is to add a group or user to the "Add workstations to domain" policy under User Rights Assignments. MagikD