Delegation/Joining Machines to a Domain: Difference between revisions

From SambaWiki
(Rewrote guide. Rephrased guide to be clearar)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing the the domain administrator credentials.
Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing the domain administrator credentials.




Line 9: Line 9:
= Adding the Delegation =
= Adding the Delegation =


To enable the "supporters" group to join and remove machines to and from the domain:
To enable the <code>supporters</code> group to join and remove machines to and from the domain:


* Open the "Active Directory Users and Computers" (ADUC) console as domain administrator.
* Open the <code>Active Directory Users and Computers</code> (ADUC) console as domain administrator.


* Create a new group "supporters".
* Create a new group <code>supporters</code>.


* Right-click to the "cn=Computer" container and select "Delegate control".
* Right-click to the <code>Computer</code> container and select <code>Delegate control</code>.


* Click "Next".
* Click <code>Next</code>.


* Click "Add" and select the group "supporters" and click "Next".
* Click <code>Add</code> and select the group <code>supporters</code> and click <code>Next</code>.


* Select "Create a custom task to delegate".
* Select <code>Create a custom task to delegate</code> and click <code>Next</code>.


* Select "Only the following objects in the folder" and check "Computer objects" from the list. Additionally select the options "Create selected objects in the folder" and "Delete selected objects in this folder". Click "Next".
* Select <code>Only the following objects in the folder</code> and check <code>Computer objects</code> from the list. Additionally select the options <code>Create selected objects in the folder</code> and <code>Delete selected objects in this folder</code>. Click <code>Next</code>.


* Select "General" and "Property-specific", select the following permissions from the list and click "Next".
* Select <code>General</code> and <code>Property-specific</code>, select the following permissions from the list.
:* "Reset password"
:* <code>Reset password</code>
:* "Read and write account restrictions"
:* <code>Read and write account restrictions</code>
:* "Read and write DNS host name attributes"
:* <code>Read and write DNS host name attributes</code>
:* "Validated write to DNS host name"
:* <code>Validated write to DNS host name</code>
:* "Validated write to service principal name"
:* <code>Validated write to service principal name</code>
:* "Write servicePrincipalName"
:* <code>Write servicePrincipalName</code>


* Click "Finish".
* Click <code>Next</code>.

* Click <code>Finish</code>.


To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them.
To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them.


A similar way to do the same on the Windows command line is described [https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=48 in this artice].


= Revoking the Delegation =


To disable members of the <code>supporter</code> group to join and remove machines to and from the domain:


* Open the <code>Active Directory Users and Computers</code> (ADUC) console as domain administrator.


* Right-click to the container or organizational unit (OU) you want to revoke the permissions and select <code>Properties</code>.
= Revoking the Delegation =

* Navigate to the <code>security</code> tab.

* Remove the <code>supporter</code> group from the list.


* Click <code>OK</code>.
To disable members of the "supporter" group to join and remove machines to and from the domain:


* Open the "Active Directory Users and Computers" (ADUC) console as domain administrator.


* Right-click to the container or organizational unit (OU) you want to revoke the permissions and select "Properties".


* Navigate to the "security" tab.


* Remove the "supporter" group from the list.


----
* Click "OK".
[[Category:Active Directory]]

Latest revision as of 12:16, 28 June 2021

Introduction

Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing the domain administrator credentials.



Adding the Delegation

To enable the supporters group to join and remove machines to and from the domain:

  • Open the Active Directory Users and Computers (ADUC) console as domain administrator.
  • Create a new group supporters.
  • Right-click to the Computer container and select Delegate control.
  • Click Next.
  • Click Add and select the group supporters and click Next.
  • Select Create a custom task to delegate and click Next.
  • Select Only the following objects in the folder and check Computer objects from the list. Additionally select the options Create selected objects in the folder and Delete selected objects in this folder. Click Next.
  • Select General and Property-specific, select the following permissions from the list.
  • Reset password
  • Read and write account restrictions
  • Read and write DNS host name attributes
  • Validated write to DNS host name
  • Validated write to service principal name
  • Write servicePrincipalName
  • Click Next.
  • Click Finish.

To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them.

A similar way to do the same on the Windows command line is described in this artice.

Revoking the Delegation

To disable members of the supporter group to join and remove machines to and from the domain:

  • Open the Active Directory Users and Computers (ADUC) console as domain administrator.
  • Right-click to the container or organizational unit (OU) you want to revoke the permissions and select Properties.
  • Navigate to the security tab.
  • Remove the supporter group from the list.
  • Click OK.



Retrieved from "https://wiki.samba.org/index.php?title=Delegation/Joining_Machines_to_a_Domain&oldid=17558"