Delegation/Joining Machines to a Domain: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) (Rewrote guide. Rephrased guide to be clearar) |
|||
(5 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing |
Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing the domain administrator credentials. |
||
Line 9: | Line 9: | ||
= Adding the Delegation = |
= Adding the Delegation = |
||
To enable the |
To enable the <code>supporters</code> group to join and remove machines to and from the domain: |
||
* Open the |
* Open the <code>Active Directory Users and Computers</code> (ADUC) console as domain administrator. |
||
* Create a new group |
* Create a new group <code>supporters</code>. |
||
* Right-click to the |
* Right-click to the <code>Computer</code> container and select <code>Delegate control</code>. |
||
* Click |
* Click <code>Next</code>. |
||
* Click |
* Click <code>Add</code> and select the group <code>supporters</code> and click <code>Next</code>. |
||
* Select |
* Select <code>Create a custom task to delegate</code> and click <code>Next</code>. |
||
* Select |
* Select <code>Only the following objects in the folder</code> and check <code>Computer objects</code> from the list. Additionally select the options <code>Create selected objects in the folder</code> and <code>Delete selected objects in this folder</code>. Click <code>Next</code>. |
||
* Select |
* Select <code>General</code> and <code>Property-specific</code>, select the following permissions from the list. |
||
:* |
:* <code>Reset password</code> |
||
:* |
:* <code>Read and write account restrictions</code> |
||
:* |
:* <code>Read and write DNS host name attributes</code> |
||
:* |
:* <code>Validated write to DNS host name</code> |
||
:* |
:* <code>Validated write to service principal name</code> |
||
:* |
:* <code>Write servicePrincipalName</code> |
||
* Click |
* Click <code>Next</code>. |
||
* Click <code>Finish</code>. |
|||
To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them. |
To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them. |
||
A similar way to do the same on the Windows command line is described [https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=48 in this artice]. |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
---- |
|||
⚫ | |||
[[Category:Active Directory]] |
Latest revision as of 12:16, 28 June 2021
Introduction
Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing the domain administrator credentials.
Adding the Delegation
To enable the supporters
group to join and remove machines to and from the domain:
- Open the
Active Directory Users and Computers
(ADUC) console as domain administrator.
- Create a new group
supporters
.
- Right-click to the
Computer
container and selectDelegate control
.
- Click
Next
.
- Click
Add
and select the groupsupporters
and clickNext
.
- Select
Create a custom task to delegate
and clickNext
.
- Select
Only the following objects in the folder
and checkComputer objects
from the list. Additionally select the optionsCreate selected objects in the folder
andDelete selected objects in this folder
. ClickNext
.
- Select
General
andProperty-specific
, select the following permissions from the list.
Reset password
Read and write account restrictions
Read and write DNS host name attributes
Validated write to DNS host name
Validated write to service principal name
Write servicePrincipalName
- Click
Next
.
- Click
Finish
.
To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them.
A similar way to do the same on the Windows command line is described in this artice.
Revoking the Delegation
To disable members of the supporter
group to join and remove machines to and from the domain:
- Open the
Active Directory Users and Computers
(ADUC) console as domain administrator.
- Right-click to the container or organizational unit (OU) you want to revoke the permissions and select
Properties
.
- Navigate to the
security
tab.
- Remove the
supporter
group from the list.
- Click
OK
.