Delegation/Joining Machines to a Domain: Difference between revisions

From SambaWiki
(Split origin page into separate ones for better maintainance)
 
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Add delegation =
= Introduction =


Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing the domain administrator credentials.
In the following we'll explain how you delegate permission for joining computers to the domain to members of a non-domain-admin-group. This delegation should only be set on the default container for machine accounts (CN=Computers).


''Side note: By default, the 'authenticated users' group can join up to 10 workstations to the domain. This can be a security risk and you should think about deactivating this!''


* Open the ADUC console as domain administrator.


* Create a new group 'supporters' and add user accounts to it, who should later be able to join machines to the domain.


* Right-click to CN=Computers and click 'Delegate control' to open the delegation wizzard.


= Adding the Delegation =
* Click 'Next'.


To enable the <code>supporters</code> group to join and remove machines to and from the domain:
* Click 'Add' and add the group 'supporters'. Click 'Next'.


* Open the <code>Active Directory Users and Computers</code> (ADUC) console as domain administrator.
* Choose 'Create a custom task to delegate' on the 'Tasks to delegate' window.


* Create a new group <code>supporters</code>.
* In the 'Active Directory Object Type' window, select 'Only the following objects in the folder' and check 'Computer objects' out of the list. Also check the two options 'Create selected objects in this folder' and 'Delete selected objects in this folder'. Click 'Next'.


* Right-click to the <code>Computer</code> container and select <code>Delegate control</code>.
* In the 'Permissions' window, check 'General' and 'Property-specific'. Also select the following permissions from the list:
** Reset password
** Read and write account restrictions
** Read and write DNS host name attributes
** Validated write to DNS host name
** Validated write to service principal name
** Write servicePrincipalName


* Click 'Next'.
* Click <code>Next</code>.


* Click <code>Add</code> and select the group <code>supporters</code> and click <code>Next</code>.
* Click 'Finish'.


* Select <code>Create a custom task to delegate</code> and click <code>Next</code>.
After you finished these steps, members of the 'supporter' group will be able to join computers to the domain.


* Select <code>Only the following objects in the folder</code> and check <code>Computer objects</code> from the list. Additionally select the options <code>Create selected objects in the folder</code> and <code>Delete selected objects in this folder</code>. Click <code>Next</code>.


* Select <code>General</code> and <code>Property-specific</code>, select the following permissions from the list.
:* <code>Reset password</code>
:* <code>Read and write account restrictions</code>
:* <code>Read and write DNS host name attributes</code>
:* <code>Validated write to DNS host name</code>
:* <code>Validated write to service principal name</code>
:* <code>Write servicePrincipalName</code>


* Click <code>Next</code>.
= Revoke delegation =


* Click <code>Finish</code>.
If you want to revoke the permission for the 'supporter' group again, follow these steps:


To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them.
* Open the ADUC console as domain administrator.


A similar way to do the same on the Windows command line is described [https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=48 in this artice].
* Right-click to the container on which you want to revoke the permissions and click 'properties'.


* Go to the 'security' tab.
= Revoking the Delegation =


* Delete the 'supporter' group from the list.
To disable members of the <code>supporter</code> group to join and remove machines to and from the domain:


* Open the <code>Active Directory Users and Computers</code> (ADUC) console as domain administrator.
* Click 'OK'.

* Right-click to the container or organizational unit (OU) you want to revoke the permissions and select <code>Properties</code>.

* Navigate to the <code>security</code> tab.

* Remove the <code>supporter</code> group from the list.

* Click <code>OK</code>.





----
[[Category:Active Directory]]

Latest revision as of 12:16, 28 June 2021

Introduction

Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing the domain administrator credentials.



Adding the Delegation

To enable the supporters group to join and remove machines to and from the domain:

  • Open the Active Directory Users and Computers (ADUC) console as domain administrator.
  • Create a new group supporters.
  • Right-click to the Computer container and select Delegate control.
  • Click Next.
  • Click Add and select the group supporters and click Next.
  • Select Create a custom task to delegate and click Next.
  • Select Only the following objects in the folder and check Computer objects from the list. Additionally select the options Create selected objects in the folder and Delete selected objects in this folder. Click Next.
  • Select General and Property-specific, select the following permissions from the list.
  • Reset password
  • Read and write account restrictions
  • Read and write DNS host name attributes
  • Validated write to DNS host name
  • Validated write to service principal name
  • Write servicePrincipalName
  • Click Next.
  • Click Finish.

To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them.

A similar way to do the same on the Windows command line is described in this artice.

Revoking the Delegation

To disable members of the supporter group to join and remove machines to and from the domain:

  • Open the Active Directory Users and Computers (ADUC) console as domain administrator.
  • Right-click to the container or organizational unit (OU) you want to revoke the permissions and select Properties.
  • Navigate to the security tab.
  • Remove the supporter group from the list.
  • Click OK.