به منظور اعطای سطح دسترسی لازم به یک کاربر جهت عضو نمودن سیستم های موجود در شبکه سازمان به دامین کنترلر، می توانید بر حسب سناریو های مختلف، یکی از روش های زیر را انتخاب و استفاده نمایید :
راه حل اول :
- On your domain control, click Start, point to Administrative Tools, and select Active Directory Users and Computers.
- Right click the container that you want the user to create computer accounts in and select Delegate Control.
- Click Next.
- Click Add.
- Add the appropriate user account and click Next.
- Click the Create custom task to delegate option and click Next.
- Click Only the following objects in the folder.
- Click Computer Objects and Create selected objects in this folder. Click Next.
- Click Create all child object and click Next.
- Click Finish.
راه حل دوم :
Changing default number of machines users can add to a domain
Most of you know the limit of 10 times authenticated users can join machines to a domain. Upping the limit, or removing it is a very simple thing to do, however everytime someone asks me, I have to go back to look it up again. At least if I have it on my own blog, I'll know where to start looking next time.
The Active Directory attribute you need to change is mS-DS-MachineAccountQuota which is a property of the domain object. Here's the steps to change it:
- Expand out the Domain node, right click on DC=<yourdomain>,DC=com and select properties
- Start ADSI Edit (start/run/adsiedit.msc)
- Scan down to ms-DS-MachineAccountQuota
- Modify the value as appropriate, or clear the value to remove the limit entirely.
راه حل سوم :
Users cannot join a computer to a domain
To resolve the issue in which users cannot join a computer to a domain, follow these steps:
- Click Start, click Run, type dsa.msc, and then click OK.
- In the task pane, expand the domain node.
- Locate and right-click the OU that you want to modify, and then click Delegate Control.
- In the Delegation of Control Wizard, click Next.
- Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
- In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
- Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folderDelete selected objects in this folder. and
- Click Next.
- In the Permissions list, click to select the following check boxes:
Read and write Account Restrictions
Validated write to DNS host name
Validated write to service principal name
- Click Next, and then click Finish.
- Close the "Active Directory Users and Computers" MMC snap-in.
Users cannot reset passwords
To resolve the issue in which users cannot reset passwords, follow these steps:
Click Start, click Run, type dsa.msc, and then click OK.
In the task pane, expand the domain node.
Locate and right-click Builtin, and then click Properties.
In the Builtin Properties dialog box, click the Security tab.
In the Group or user names list, click Account Operators.
Under Permissions for Account Operators, click to select the AllowRead permission, and then click OK.
Note If you want to use a group or a user other than the Account Operators group, repeat steps 5 and 6 for that group or that user. check box for the
Close the "Active Directory Users and Computers" MMC snap-in.