1
00:00:06,430 --> 00:00:13,180
Before we adjourn a computer to a domain you should first create a computer object in the appropriate

2
00:00:13,260 --> 00:00:17,130
owe you to join a computer turned 80 days domain.

3
00:00:17,260 --> 00:00:19,660
You must meet three conditions.

4
00:00:19,660 --> 00:00:26,290
First you must have appropriate permissions on the computer object that allow you to join a physical

5
00:00:26,290 --> 00:00:29,260
computer with the same name to the domain.

6
00:00:29,260 --> 00:00:35,290
Second you must be a member of the local administrators group on the computer.

7
00:00:35,290 --> 00:00:40,860
This allows you to change the computer's domain or varied group membership.

8
00:00:40,870 --> 00:00:48,370
And third you must not have exceeded the maximum number of computer accounts that you can add to the

9
00:00:48,370 --> 00:00:50,110
domain by default.

10
00:00:50,110 --> 00:00:55,000
Users can add a maximum of 10 computers to the domain.

11
00:00:55,000 --> 00:01:04,230
This value is known as the machine account quarter and is controlled by the mass DNS machine quarter.

12
00:01:04,240 --> 00:01:13,930
Well you you can modify the value by using the Active Directory Services interfaces editor or a DSA

13
00:01:14,050 --> 00:01:16,060
added snap in.

14
00:01:16,150 --> 00:01:22,450
It is recommended that you recreate the computer account in the correct owe you.

15
00:01:22,510 --> 00:01:25,930
Prior to joining the computer to the domain.

16
00:01:25,930 --> 00:01:32,010
This allows the computer to receive the appropriate group policies immediately.

17
00:01:32,020 --> 00:01:40,200
If you do not recreate the computer account the computer account will be created in the computer's container.

18
00:01:40,210 --> 00:01:43,270
Some words about delegates and permissions.

19
00:01:43,270 --> 00:01:51,010
By default the enterprise Edmonds domain admins and administrators and account operators groups have

20
00:01:51,010 --> 00:01:55,790
permissions to create computer objects in an in you owe you.

21
00:01:55,870 --> 00:02:04,150
However as discussed earlier it is recommended that you tightly restrict membership in the first three

22
00:02:04,150 --> 00:02:05,110
groups.

23
00:02:05,110 --> 00:02:13,360
In addition it is recommended that you not at users who are members of the enterprise that most domain

24
00:02:13,360 --> 00:02:18,320
admins or administrators groups to the account Operators Group.

25
00:02:18,340 --> 00:02:25,900
Instead you should delegate the permission to create computer objects to appropriate administrators

26
00:02:26,080 --> 00:02:28,350
or support personnel.

27
00:02:28,360 --> 00:02:34,810
This permission which you assigned to the group to which you are delegated and delegating administration

28
00:02:35,140 --> 00:02:43,570
allows group members to create computer objects in a specified Oh you for example you might allow your

29
00:02:43,570 --> 00:02:53,140
desktop support team to create computer objects in the client's owe you and allow your file server administrators

30
00:02:53,410 --> 00:03:00,720
to create computer objects in their file server so you to delegate permissions to create computer accounts.

31
00:03:00,880 --> 00:03:09,340
You can use the delegation of control visa to choose a custom task to delegate when you delegate permissions

32
00:03:09,340 --> 00:03:11,390
to manage computer records.

33
00:03:11,410 --> 00:03:18,850
You might consider granting additional permissions beyond those required to create computer accounts.

34
00:03:18,850 --> 00:03:26,800
For example you might decide to lower delegated administrator to manage the properties of existing computer

35
00:03:26,800 --> 00:03:31,690
accounts to delete the computer account or to move the computer account.