Delegation/Joining Machines to a Domain

Revision as of 21:11, 24 August 2015 by Mmuehlfeld (talk | contribs) (Split origin page into separate ones for better maintainance)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Add delegation

In the following we'll explain how you delegate permission for joining computers to the domain to members of a non-domain-admin-group. This delegation should only be set on the default container for machine accounts (CN=Computers).

Side note: By default, the 'authenticated users' group can join up to 10 workstations to the domain. This can be a security risk and you should think about deactivating this!

  • Open the ADUC console as domain administrator.
  • Create a new group 'supporters' and add user accounts to it, who should later be able to join machines to the domain.
  • Right-click to CN=Computers and click 'Delegate control' to open the delegation wizzard.
  • Click 'Next'.
  • Click 'Add' and add the group 'supporters'. Click 'Next'.
  • Choose 'Create a custom task to delegate' on the 'Tasks to delegate' window.
  • In the 'Active Directory Object Type' window, select 'Only the following objects in the folder' and check 'Computer objects' out of the list. Also check the two options 'Create selected objects in this folder' and 'Delete selected objects in this folder'. Click 'Next'.
  • In the 'Permissions' window, check 'General' and 'Property-specific'. Also select the following permissions from the list:
    • Reset password
    • Read and write account restrictions
    • Read and write DNS host name attributes
    • Validated write to DNS host name
    • Validated write to service principal name
    • Write servicePrincipalName
  • Click 'Next'.
  • Click 'Finish'.

After you finished these steps, members of the 'supporter' group will be able to join computers to the domain.


Revoke delegation

If you want to revoke the permission for the 'supporter' group again, follow these steps:

  • Open the ADUC console as domain administrator.
  • Right-click to the container on which you want to revoke the permissions and click 'properties'.
  • Go to the 'security' tab.
  • Delete the 'supporter' group from the list.
  • Click 'OK'.