Delegation/Joining Machines to a Domain: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) m (Mmuehlfeld moved page Delegation/Join Machines to a Domain to Delegation/Joining Machines to a Domain without leaving a redirect: Fix link) |
Mmuehlfeld (talk | contribs) (Rewrote guide. Rephrased guide to be clearar) |
||
Line 1: | Line 1: | ||
= |
= Introduction = |
||
Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing the the domain administrator credentials. |
|||
In the following we'll explain how you delegate permission for joining computers to the domain to members of a non-domain-admin-group. This delegation should only be set on the default container for machine accounts (CN=Computers). |
|||
''Side note: By default, the 'authenticated users' group can join up to 10 workstations to the domain. This can be a security risk and you should think about deactivating this!'' |
|||
⚫ | |||
* Create a new group 'supporters' and add user accounts to it, who should later be able to join machines to the domain. |
|||
* Right-click to CN=Computers and click 'Delegate control' to open the delegation wizzard. |
|||
= Adding the Delegation = |
|||
⚫ | |||
To enable the "supporters" group to join and remove machines to and from the domain: |
|||
⚫ | |||
⚫ | |||
⚫ | |||
* Create a new group "supporters". |
|||
⚫ | |||
* Right-click to the "cn=Computer" container and select "Delegate control". |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
* Click |
* Click "Next". |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
= Revoke delegation = |
|||
To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them. |
|||
If you want to revoke the permission for the 'supporter' group again, follow these steps: |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
= Revoking the Delegation = |
|||
* Click 'OK'. |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ |
Revision as of 16:00, 2 September 2016
Introduction
Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing the the domain administrator credentials.
Adding the Delegation
To enable the "supporters" group to join and remove machines to and from the domain:
- Open the "Active Directory Users and Computers" (ADUC) console as domain administrator.
- Create a new group "supporters".
- Right-click to the "cn=Computer" container and select "Delegate control".
- Click "Next".
- Click "Add" and select the group "supporters" and click "Next".
- Select "Create a custom task to delegate".
- Select "Only the following objects in the folder" and check "Computer objects" from the list. Additionally select the options "Create selected objects in the folder" and "Delete selected objects in this folder". Click "Next".
- Select "General" and "Property-specific", select the following permissions from the list and click "Next".
- "Reset password"
- "Read and write account restrictions"
- "Read and write DNS host name attributes"
- "Validated write to DNS host name"
- "Validated write to service principal name"
- "Write servicePrincipalName"
- Click "Finish".
To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them.
Revoking the Delegation
To disable members of the "supporter" group to join and remove machines to and from the domain:
- Open the "Active Directory Users and Computers" (ADUC) console as domain administrator.
- Right-click to the container or organizational unit (OU) you want to revoke the permissions and select "Properties".
- Navigate to the "security" tab.
- Remove the "supporter" group from the list.
- Click "OK".