Re: [2K3] WIN2003 Server AD Question: MS Server 2003 R2 x64 Edit
Sorry if my reply was confusing, I can see how it would be. As far as I know if you grant permission to someone to add a computer to the domain they will be able to do it regardless of whether it exists as an object already.
To put this in another perspective, it would be like granting a user access to a folder but they can only access it if they clear it with you first -- as you know it doesn't work that way. Permissions are all or none for the permission & object.
If you grant someone the ability to do something they will be able to do it. The system will presume the permission grantor trusts the individual. There is no partial trust with permissions.
I would be humbled & eager to see a different reply explaining how this is doable. As I said earlier I am far from an expert, just wanted to offer my cent or two.
My friends company network admins some how setup their network in the way I described. Admin accounts can go into active directory and add computers in the computer OU. Once any admin adds the trusted computer in AD, then the joindomain account can join the computer to the domain. But if the computer does not exist in AD first, then it can not join. Plus that joindomain account does not have permission to go into active directly and create the computer in the trust computer list.