Granting user rights to join workstations to the domain
You can use the Group Policy Management Console (GPMC) to modify the domain policy or create a new policy that has settings that grant the user rights to add workstations to a domain.
Membership in Domain Admins, or equivalent, is the minimum required to grant user rights. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To grant rights to join workstations to a domain
1.
Click Start, click Administrative Tools, and then click Group Policy Management.
2.
Double-click the name of the forest, double-click Domains, double-click the name of the domain in which you want to join a computer, right-click Default Domain Policy, and then click Edit.
3.
In the console tree, double-click Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click User Rights Assignment.
4.
In the details pane, double-click Add workstations to domain.
5.
Select the Define these policy settings check box, and then click Add User or Group.
6.
Type the name of the account that you want to grant the user rights to, and then click OK twice.
Delegating permissions to join workstations to the domain
You can use a tool such as Ldp.exe to delegate permissions to join workstations to a domain. As a best practice, you should delegate permissions to a group, and then add users to the group or remove them as needed.
Membership in Domain Admins, or equivalent, is the minimum required to delegate permissions. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To delegate permissions to join workstations to a domain
1.
Click Start, click Run, type ldp, and then click OK.
2.
Click Connection, click Connect, and in Server type the name of a domain controller. If you are logged on to a domain controller, you can type localhost. When you are done, click OK.
3.
Click Connection, and then click Bind. If you are logged on as a member of the Domain Admins group, click Bind as currently logged on user. If you are logged on as a different user, click Bind with credentials, and then type the name, password, and domain of an account that is a member of the Domain Admins group. Click OK.
4.
Click View, click Tree, select DC=
5.
In the console tree, double-click DC=
6.
Click ACE, click Add ACE, type the name of the account that you want to be able to join workstations to the domain, select the Create child check box, and then select the Inherit check box. In Object type, select computer ? class (you might have to type computer to select computer ? class), click OK, and then click Update.
Offline domain join process and Djoin.exe syntax
Run Djoin.exe at an elevated command prompt to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .txt file that you specify as part of the command. After you run the provisioning command, you can either run Djoin.exe again to request the computer account metadata and insert it into the Windows directory of the destination computer or you can save the computer account metadata in an Unattend.xml file and then specify the Unattend.xml file during an unattended operating system installation of the destination computer.
For more information about the NetProvisionComputerAccount function that is used to provision the computer account during an offline domain join, see NetProvisionComputerAccount Function (http://go.microsoft.com/fwlink/?LinkId=162426). For more information about the NetRequestOfflineDomainJoin function that runs locally on the destination computer, see NetRequestOfflineDomainJoin Function (http://go.microsoft.com/fwlink/?LinkId=162427).
