On 31 Jul 2003 06:40:06 -0700, tryon2@yahoo.com (Tryon) wrote:

>I have a small problem. We have limited the number of users that can
>add workstation and servers to our domain. One set of Techs should
>only be adding worksation Os and another team should be adding only
>server OS. I am looking for a way to sparate this in one of two ways.
>
>1. beable to have a policy that will only let one group add
>workstations and one group add servers.
>
> or
>
>2. Beable to see when a machine (Server or Worksation) was added to
>the domain and who added it.
>
>Any help on how to get one of the two accomplished would be great.


Try checking the registry key ownership of the account keys in the
SAM. We had an issue where machine accounts added by a full admin
could not be changed by server/account operators as they did not own
the registry keys created.

As for when it was added, use any available tools which show account
creation dates. The workstation domain account is not terribly
different than a normal user account - big difference is the $ at the
end of the name.

I also recommend enabling account auditting.