How to determine/Identify which Users in my Domain environment is able to join Domain on work stations

Muhammad Moiz 0 Reputation points

Hi. My issue is we have only allow 1 users in my enviroment is able to join domain on workstations. but i randomly checked with some users accounts their accounts are also able to join domain to work stations.

So how can i identify which users hve access to join domain to work stations, with any powershell command.?

Then i also blocked all the users to do this except one.

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
1,883 questions
A family of Microsoft relational database management systems designed for ease of use.
24 questions
Azure Active Directory Domain Services
Microsoft Graph Permissions API
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,630 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 9,561 Reputation points

    Hello Mihammad Moiz

    To set or review delegate Domain Join permissions for the accounts, you can use the next steps:

    1 - Run run Active Directory Users and Computers console (dsa.msc) as Domain Administrator.

    2 - Click on the OU where the computer account will be added, right click and select Delegate Control.

    3 - Add the user on the list and select next

    4 - Select a custom task to delegate, select next

    5 - Select Computer Objects from the list of objects and next.

    6 - Check for the below noted permissions and properties.


    Object permissions:



    Object Properties:

    Write DNS Host Name Attributes

    Write userAccountControl

    Write servicePrincipalName


    Object Properties:

    Write Operating System

    Write Operating System Version

    Write userPrincipalName

    If the computer does not exist then the only right required is "Create Computer Object" If you are joining in User Personality Mode (UPM) mode you will also need the right of "Write preferredOU".

    --If the reply is helpful, please Upvote and Accept as answer--

    No comments