How to determine/Identify which Users in my Domain environment is able to join Domain on work stations

Question

Hi. My issue is we have only allow 1 users in my enviroment is able to join domain on workstations. but i randomly checked with some users accounts their accounts are also able to join domain to work stations.

So how can i identify which users hve access to join domain to work stations, with any powershell command.?

Then i also blocked all the users to do this except one.

Answer 1

Hello Mihammad Moiz

To set or review delegate Domain Join permissions for the accounts, you can use the next steps:

1 - Run run Active Directory Users and Computers console (dsa.msc) as Domain Administrator.

2 - Click on the OU where the computer account will be added, right click and select Delegate Control.

3 - Add the user on the list and select next

4 - Select a custom task to delegate, select next

5 - Select Computer Objects from the list of objects and next.

6 - Check for the below noted permissions and properties.

Required

Object permissions:

ResetPassword

Recommended

Object Properties:

Write DNS Host Name Attributes

Write userAccountControl

Write servicePrincipalName

Optional

Object Properties:

Write Operating System

Write Operating System Version

Write userPrincipalName

If the computer does not exist then the only right required is "Create Computer Object" If you are joining in User Personality Mode (UPM) mode you will also need the right of "Write preferredOU".

---

--If the reply is helpful, please Upvote and Accept as answer--