Identifying who can add computers to the domain
Who can join computers to a domain depends on your organization’s policies and those policies are enforced through Active Directory. In general, there are two common scenarios:
-
Any authenticated domain user can add up to ten computers to the domain.
This is the default behavior for Windows computers. Many organizations follow this policy, so that administrative access is not required to add computers to a domain.
-
Only users with specific permissions can add computers to the domain.
Some organization restrict who can add computers to the domain. For example, a user might have to be a member of the Domain Admins or Account Operators group to add computers to a domain.
The policy your organization follows for Windows also applies when you want to add Linux and UNIX computers to a domain. If any authenticated user can add a Windows computer to the domain, adding a Linux or UNIX computer does not require an administrative user name and password. If only administrative or delegated users are allowed to add computers to the domain, the user adding a Linux or UNIX computer must provide an administrative or delegated user name and password.
If you aren’t sure whether an administrative account is required to join a domain, you can prepare computer account before attempting to join the domain, and allow the computer account itself to be used to join the domain. Performing this type of “selfservice” join simplifies the operation and allows the computer account to manage its own password without administrative intervention.
