How to determine/Identify which Users in my Domain environment is able to join Domain on work stations

Muhammad Moiz 0 Reputation points

Hi. My issue is we have only allow 1 users in my enviroment is able to join domain on workstations. but i randomly checked with some users accounts their accounts are also able to join domain to work stations.

So how can i identify which users hve access to join domain to work stations, with any powershell command.?

Then i also blocked all the users to do this except one.

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,473 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
9,916 questions
A family of Microsoft relational database management systems designed for ease of use.
270 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,272 questions
Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 43,966 Reputation points

    Hello Mihammad Moiz

    To set or review delegate Domain Join permissions for the accounts, you can use the next steps:

    1 - Run run Active Directory Users and Computers console (dsa.msc) as Domain Administrator.

    2 - Click on the OU where the computer account will be added, right click and select Delegate Control.

    3 - Add the user on the list and select next

    4 - Select a custom task to delegate, select next

    5 - Select Computer Objects from the list of objects and next.

    6 - Check for the below noted permissions and properties.


    Object permissions:



    Object Properties:

    Write DNS Host Name Attributes

    Write userAccountControl

    Write servicePrincipalName


    Object Properties:

    Write Operating System

    Write Operating System Version

    Write userPrincipalName

    If the computer does not exist then the only right required is "Create Computer Object" If you are joining in User Personality Mode (UPM) mode you will also need the right of "Write preferredOU".

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments