"AD" cancels the normal domain user account addition domain permission & authorizes the specific ordinary domain user to add the domain permission

generally speaking, do not make any special settings, are manually added domain, and the use of the Administrator account, this situation is risky, easy to be remembered password. Therefore, if you can set up a normal user account, specifically to perform the domain operation, it will reduce such risks. In fact, by default, the domain of every ordinary account can be 10 computers into the domain, this is a big hidden danger. It is estimated that many people have not tried it.


add domain is divided into two kinds, one is to join the new computer domain, one is to have joined the domain of the computer, because the failure cannot log on to the domain or manual fallback domain, the original computer account is still in the case of joining the domain to establish a connection. In the second case, the account used for the previous domain is the same as the account used for the current domain and the permissions are consistent. And back to the domain, with any account can be.

The following errors are only within the scope of this article and do not discuss other cases.
add domain possible error A:
650) this.width=650; "src=" http://bbs.51cto.com/images/default/attachimg.gif "border=" 0 "style=" margin:0px; Padding:0px;border:medium none;line-height:1.6em; "alt=" Attachimg.gif "/>650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M00/75/F1/wKiom1ZFb0aBQz59AAB7pCUJ-JM804.png "border=" 0 " Style= "Margin:0px;padding:0px;border:medium none;line-height:28.8px;font-family: ' Song Body ', Arial, Helvetica, ' San-serif '; Font-size:large;white-space:normal;background-color:rgb (255,255,255); "/> 

in the second case, the domain account (permissions) is inconsistent.
possible error B:

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M01/75/EF/wKioL1ZFcCXCgpyDAABxNGpXLwY970.png "border=" 0 " Style= "Margin:0px;padding:0px;border:medium none;line-height:28.8px;font-family: ' Song Body ', Arial, Helvetica, ' San-serif '; Font-size:large;white-space:normal;background-color:rgb (255,255,255); "/> 
more than the average user adds the computer to the domain value.

to remove a normal domain user account from joining a computer to a domain
domain environment, default normal users will be able to join 10 computers to the domain by default, if security factors are taken into account, the default settings need to be changed. Users in the general domain are created by default in the Domain Users group, and the following describes how to cancel the normal domain user account permissions to join the computer to the domain
Method/Step
1. On the PDC, click Start-All Programs-administrative tools to open ADSI edit
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/75/EF/wKioL1ZFb5CzqMhwAAJ Or2 yg__8308.jpg "border=" 0 " Style= "Margin:0px;padding:0px;border:medium none;line-height:28.8px;font-family: ' Song Body ', Arial, Helvetica, ' San-serif '; Font-size:large;white-space:normal;background-color:rgb (255,255,255); "/> 


2. Right-click on the Open ADSI Edit-"Connect to"-click OK.
Right-dc=xxx dc= com click Properties
650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/75/F1/wKiom1ZFb0Xg8kMTAAEZSpQmYWA308.jpg "border=" 0 " Style= "Margin:0px;padding:0px;border:medium none;line-height:28.8px;font-family: ' Song Body ', Arial, Helvetica, ' San-serif '; Font-size:large;white-space:normal;background-color:rgb (255,255,255); "/> 


3. Find "Ms-ds-machineaccountquota" and change its value from the default 10 to 0
650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M01/75/EF/wKioL1ZFb5GzOQejAAHczQIMZ84892.jpg "border=" 0 " Style= "Margin:0px;padding:0px;border:medium none;line-height:28.8px;font-family: ' Song Body ', Arial, Helvetica, ' San-serif '; Font-size:large;white-space:normal;background-color:rgb (255,255,255); "/> 


this way, a normal user cannot join a new computer computer to a domain. XP will prompt for "Access denied", Win7 will prompt for error B (see the beginning of the article).
No restart is required to complete the modification. Effective immediately.

Authorizing a specific normal domain user to join a computer to a domain
into global Group Policy modifications.
650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/75/EF/wKioL1ZFb5PgAMNrAAQ6wQELLdQ012.png "border=" 0 " Width= "720" style= "Margin:0px;padding:0px;border:medium none;line-height:1.6em;"/>

in this case, this account can indeed join the new computer to the domain name in the case of machineaccountquota=0. However, it is still possible to error a. (See the beginning of the article)

So at this point we need to use delegated techniques.
and the normal delegation, the search on the network, actually and Group Policy method is consistent, to some extent. In the real world will still error a. (See the beginning of the article)
to solve this problem, you need to do the following.
go to the console-ad users and Computers, right-click Domain-Select delegated control.

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/75/F1/wKiom1ZFb0jBa7bPAAAfjqF6AGk409.png "border=" 0 " style= "Margin:0px;padding:0px;border:medium none;line-height:1.6em;"/>

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/75/F1/wKiom1ZFb0iyNRJHAAAqvzS1Nz0347.png "border=" 0 " style= "Margin:0px;padding:0px;border:medium none;line-height:1.6em;"/>
650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/75/EF/wKioL1ZFb5Tg_JF0AAAtWTLZ35o610.png "border=" 0 " style= "Margin:0px;padding:0px;border:medium none;line-height:1.6em;"/>
Here are the additions to the--
Reset Password
Read and write account limits
Authenticated DNS host name write
Authenticated write to service principal name

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M02/75/F1/wKiom1ZFb0jjqH8TAAAmTdvXY84961.png "border=" 0 " style= "Margin:0px;padding:0px;border:medium none;line-height:1.6em;"/>
In this way, this account can be used as a dedicated domain-specific account.
is also effective immediately.

View delegation
In the ad console click View-Advanced features after opening right-click on the current domain-properties-security, inside can see you delegated user
650) this.width=650; "Src=" http ://s2.51cto.com/wyfs02/m01/75/ef/wkiol1zfb5sbix6kaadapuvr11e430.jpg "border=" 0 "style=" margin:0px;padding:0px; Border:medium none;line-height:1.6em; "/> 
650) this.width=650; "src=" http://bbs.51cto.com/images/default/attachimg.gif "border=" 0 "style=" margin:0px; Padding:0px;border:medium none;line-height:1.6em; "alt=" Attachimg.gif "/> 650) this.width=650;" Src= "http ://s1.51cto.com/wyfs02/m02/75/f1/wkiom1zfb0mi705laaf2f8zce0a178.jpg "border=" 0 "width=" 720 "style=" margin:0px; Padding:0px;border:medium none;line-height:1.6em; "/>
Delete can be deleted directly above.

"AD" cancels the normal domain user account addition domain permission & authorizes the specific ordinary domain user to add the domain permission