joining domain

hi! Is it possible to have the users rejoin xp,win7 to win2003 AD with the
computer object already exist in the AD? i know that this can be done through
administrator group, but can this be done by the user without adding them
into the domain admain grp or accoutn operator?

what's the best practice and previlege that i shd give to the support team
who only need to able to join the pc into the domain?


Thanks.

They have to be able to delete and add. If you are talking about doing this
to one machine not a real big deal but if you want folks to do this all the
time it could be a maintenance nightmare. Can you elaborate on what you are
trying to do and maybe there is another way to do something.

Such as delegating control of computer management on an ou for a user or
security group.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"dkblee" <> wrote in message
news:2B33AA94-15F8-466E-B3E1-...
> hi! Is it possible to have the users rejoin xp,win7 to win2003 AD with the
> computer object already exist in the AD? i know that this can be done
> through
> administrator group, but can this be done by the user without adding them
> into the domain admain grp or accoutn operator?
>
> what's the best practice and previlege that i shd give to the support team
> who only need to able to join the pc into the domain?
>
>
> Thanks.

dkblee wrote:
> hi! Is it possible to have the users rejoin xp,win7 to win2003 AD
> with the computer object already exist in the AD? i know that this
> can be done through administrator group, but can this be done by the
> user without adding them into the domain admain grp or accoutn
> operator?
>
> what's the best practice and previlege that i shd give to the support
> team who only need to able to join the pc into the domain?
>
>
> Thanks.

Try resetting the computer account - which should set the computer account
password back to the default of "COMPUTERNAME$". Should be just like a
computer pre-create and the computer should find an object already for the
join and change the password on successfull join. Give it a try, but I think
that will work.

--
/kj

Hello dkblee,

Yes, it can be done, see for more details in:
http://support.microsoft.com/kb/932455

http://support.microsoft.com/kb/243327/en-us

http://blogs.dirteam.com/blogs/jorge...01/05/369.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> hi! Is it possible to have the users rejoin xp,win7 to win2003 AD with
> the computer object already exist in the AD? i know that this can be
> done through administrator group, but can this be done by the user
> without adding them into the domain admain grp or accoutn operator?
>
> what's the best practice and previlege that i shd give to the support
> team who only need to able to join the pc into the domain?
>
> Thanks.
>

you could use the netdom tool. You as administrator "add" the computer in AD
and then the user runs the netdom tool to "join". That way the user does not
need admin rights

"dkblee" wrote:

> hi! Is it possible to have the users rejoin xp,win7 to win2003 AD with the
> computer object already exist in the AD? i know that this can be done through
> administrator group, but can this be done by the user without adding them
> into the domain admain grp or accoutn operator?
>
> what's the best practice and previlege that i shd give to the support team
> who only need to able to join the pc into the domain?
>
>
> Thanks.