I am sure you know by now that any authenticate user has right o join a computer into Active Directory domain. This can happen only 10 times and on the 11th time the user will get error. Per Microsoft users who have the Create Computer Objects permission on the Active Directorycomputers container can also create computer accounts in the domain. The difference is that users with permissions on the container are not restricted to the creation of only 10 computer accounts.
We can create a group in Active Directory – called TECHNICIAN and add all approved user into this group that will be granted rights to join computers into Domain.
- Lets login into Windows Server 2012 R2
- Click on Group Policy Management and launch the console
- Right click on Default Domain Group Policy and click Edit
- Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
- Expand the User Rights Assignment
- Double click on Add Workstations to Domain
- Click Add User or Group
- Add TECHNICAN groups and click APPLY
From this point on, anytime you remove or add user in the group TECHNICIAN the user will lose or will be granted access and permissions to add computers into domain.