Permissions to Change Computer Name

[bre1818]

Hello!! I'm new to the MSFN forum and I was hoping someone could help me out with a problem.

I have a part-time student helping with installing new machines. Since he's part-time I don't want to give him a domain admin account, but I need him to be able to change a computer name on an existing machine as well as add a computer to the domain.

Does anyone know the best way to accomplish this? I was thinking of doing something with a group in the AD. Maybe giving the appropriate permissions to that group and just add and remove users when I need to?

We're running Windows 2003 (Server) & Windows XP Pro (Client). Any help would be much appreciated!!!!

Muchos gracias!

[cluberti]

As to adding workstations to the domain, in your GPO under Computer Config > Windows Settings > Security Settings > Local Policies > User Rights Assignment, there is an object called "Add workstations to domain", which is just what it sounds like. You will also need to delegate the permission to create computer objects and delete computer objects in the OU where the workstations reside to the group you are adding these users to.

As for changing machine names, your users would need administrative rights on the workstation itself, so allowing machine name changes may not be possible in your environment without adding the user to the local machine's administrators group.

[bre1818]

Thanks for the response.

I found the delegate control and the user can now add computers to the domain, but I'm confused about the changing of a computer name. I've tried changing the computer name with a local administrator and I get Access Denied. This is what I'm supposed to get. When I change the computer name with my domain admin account it works fine.

There has to be a way to give a standard domain user control to change a computer name if he can add one to the domain... right?

[cluberti]

If the computer is added to the domain, you can't change the name with a local administrator account because you are then modifying not only the local name, but the actual computer account in Active Directory (which a local admin account does not have rights to do).

Once that machine is removed from the domain, the local admin can change the computer name again. As to changing the name of a domain-attached computer, the user must have privileges both in AD _AND_ on the local workstation, because the name change takes place in BOTH places. There is no way to delegate the local computer name change right in AD, and thus local admin privileges are required on top of the AD permissions to actually change a computer name.

Edited November 22, 2005 by cluberti

[bre1818]

Alright good I'm not crazy... I knew that much

Any way to give permission to a domain user to change the computer name of a machine already in a domain?

[cluberti]

Read the first post again - that's how you do it.

[bre1818]

Thanks, the users are already local administrators.

Don't they need to have access in the AD to make the change since renaming the computer doesn't just affect the local machine?