Add workstations to domain

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Description

Determines which groups or users can add workstations to a domain.

This policy is valid only on domain controllers. By default, any authenticated user has this right and can create up to ten computer accounts in the domain.

Adding a computer account to the domain allows the computer to participate in Active Directory based networking. For example, adding a workstation to a domain allows that workstation to recognize accounts and groups that exist in Active Directory.

The default group that has this right on domain controllers is:

  • Authenticated Users

Note Image Note

Users that have the "Create Computer Objects" permission on the Active Directory Computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only ten computer accounts. Furthermore, computer accounts created by means of the Add workstations to domain user right have Domain Administrators as the owner of the computer account, while computer accounts created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the add workstation to domain user right, then the computer is added based on the computer container permissions rather than the user right.