Difference between revisions of "Delegation/Joining Machines to a Domain"

From SambaWiki
(Rewrote guide. Rephrased guide to be clearar)
m (Added tags.)
Line 9: Line 9:
 
= Adding the Delegation =
 
= Adding the Delegation =
   
To enable the "supporters" group to join and remove machines to and from the domain:
+
To enable the <code>supporters</code> group to join and remove machines to and from the domain:
   
* Open the "Active Directory Users and Computers" (ADUC) console as domain administrator.
+
* Open the <code>Active Directory Users and Computers</code> (ADUC) console as domain administrator.
   
* Create a new group "supporters".
+
* Create a new group <code>supporters</code>.
   
* Right-click to the "cn=Computer" container and select "Delegate control".
+
* Right-click to the <code>cn=Computer</code> container and select <code>Delegate control</code>.
   
* Click "Next".
+
* Click <code>Next</code>.
   
* Click "Add" and select the group "supporters" and click "Next".
+
* Click <code>Add</code> and select the group <code>supporters</code> and click <code>Next</code>.
   
* Select "Create a custom task to delegate".
+
* Select <code>Create a custom task to delegate</code>.
   
* Select "Only the following objects in the folder" and check "Computer objects" from the list. Additionally select the options "Create selected objects in the folder" and "Delete selected objects in this folder". Click "Next".
+
* Select <code>Only the following objects in the folder</code> and check <code>Computer objects</code> from the list. Additionally select the options <code>Create selected objects in the folder</code> and <code>Delete selected objects in this folder</code>. Click <code>Next</code>.
   
* Select "General" and "Property-specific", select the following permissions from the list and click "Next".
+
* Select <code>General</code> and </code>Property-specific</code>, select the following permissions from the list and click <code>Next</code>.
:* "Reset password"
+
:* <code>Reset password</code>
:* "Read and write account restrictions"
+
:* <code>Read and write account restrictions</code>
:* "Read and write DNS host name attributes"
+
:* <code>Read and write DNS host name attributes</code>
:* "Validated write to DNS host name"
+
:* <code>Validated write to DNS host name</code>
:* "Validated write to service principal name"
+
:* <code>Validated write to service principal name</code>
:* "Write servicePrincipalName"
+
:* <code>Write servicePrincipalName</code>
   
* Click "Finish".
+
* Click <code>Finish</code>.
   
 
To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them.
 
To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them.
Line 43: Line 43:
 
= Revoking the Delegation =
 
= Revoking the Delegation =
   
To disable members of the "supporter" group to join and remove machines to and from the domain:
+
To disable members of the <code>supporter</code> group to join and remove machines to and from the domain:
   
* Open the "Active Directory Users and Computers" (ADUC) console as domain administrator.
+
* Open the <code>Active Directory Users and Computers</code> (ADUC) console as domain administrator.
   
* Right-click to the container or organizational unit (OU) you want to revoke the permissions and select "Properties".
+
* Right-click to the container or organizational unit (OU) you want to revoke the permissions and select <code>Properties</code>.
   
* Navigate to the "security" tab.
+
* Navigate to the <code>security</code> tab.
   
* Remove the "supporter" group from the list.
+
* Remove the <code>supporter</code> group from the list.
   
* Click "OK".
+
* Click <code>OK</code>.

Revision as of 21:24, 9 October 2016

Introduction

Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged. For example, to enable a help desk employees to join machines to the domain without knowing the the domain administrator credentials.



Adding the Delegation

To enable the supporters group to join and remove machines to and from the domain:

  • Open the Active Directory Users and Computers (ADUC) console as domain administrator.
  • Create a new group supporters.
  • Right-click to the cn=Computer container and select Delegate control.
  • Click Next.
  • Click Add and select the group supporters and click Next.
  • Select Create a custom task to delegate.
  • Select Only the following objects in the folder and check Computer objects from the list. Additionally select the options Create selected objects in the folder and Delete selected objects in this folder. Click Next.
  • Select General and Property-specific, select the following permissions from the list and click Next.
  • Reset password
  • Read and write account restrictions
  • Read and write DNS host name attributes
  • Validated write to DNS host name
  • Validated write to service principal name
  • Write servicePrincipalName
  • Click Finish.

To enable the group to join machines to multiple containers or organizational units (OU), repeat the steps on them.



Revoking the Delegation

To disable members of the supporter group to join and remove machines to and from the domain:

  • Open the Active Directory Users and Computers (ADUC) console as domain administrator.
  • Right-click to the container or organizational unit (OU) you want to revoke the permissions and select Properties.
  • Navigate to the security tab.
  • Remove the supporter group from the list.
  • Click OK.