Allow Users to bind machines to domains

Use the delegate Control wizard inside AD against the top level domain listing (not OU). You can then select “Join Domain” as a security option for your chosen user(s)/group(s).


Be sure to check for the group policy too, “Default Domain Policy” > Computer Configuration > Windows Settings > Security Settings > Local Policies > “Add Workstations to Domain”

Windows 2003+ domain – Prevent users adding computers to domain

1.       Open run and type ADSIEDIT.msc (may need to register adsiedit.dll on server first)

2.       Right click ADSIedit and choose connect to

3.       In the connection point section ,chose select A well Known Naming Context and ,from the drop-down list choose Default naming context

4.       Click OK

5.       Expand default naming context

6.       Right click the DC=mydomain,dc=local domain folder and choose properties

7.       Select ms-DS-MachineAccount Quta and click edit

8.       Type 0

9.       Click OK