Delegate "Domain Join Only" permission to a standard user

Junaid 1 Reputation point
2022-03-09T00:43:27.59+00:00

Hi Everyone,

I am managing Active Directory environment where i need to delegate permission on OU for few users to be able to create Computer Objects. These users will also be able to Delete Computer Objects etc. I am able to configure permissions for this.

Then, i need to delegate permissions to another set of users where they will only be able to join the computers to a domain. They will not be able to delete those computer objects that were already created previously by other users. Also, they should not be able to manually create computer objects. The only permission they will have is to join the pre-staged computers to a domain.

When i try the above scenario, it gives me error. That error basically says that a user who is joining the computer has different set of credentials than the one who created the computer object. I can attach the screenshot as well.

What permissions do i need for second set of users to allow them to join computers to a domain created by first set of users?

Thank you.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,926 Reputation points
    2022-03-15T14:49:05.8+00:00

    Hi @Junaid

    There are 2 ways to allow domain users of the second set to add or join the computer to the domain created by the first set of users.

    • Assign rights to the user/group using the Default Domain Group Policy.
    • Delegate rights to users using Active Directory Users and Computers.

    You can follow the below steps to Delegate rights to users using Active Directory Users and Computers.

    -Open the Active Directory Users and Computers snap-in. Right-click the container under which you want the computers to be added and click on Delegate Control.
    -To add a user or group click Add. Once you are done click Next.
    -Tasks to Delegate – Click Create a custom task to delegate. Click Next.
    -Choose Only the following objects in the folder and check the box Computer Objects. Check the box Create selected objects in this folder. Click Next.
    -Permissions – Select General, select Create All Child Objects. Click Next.

    To Delegate Permissions for Group Policy
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789195(v=ws.11)

    Hope this resolves your Query!!

    --
    --If the reply is helpful, please Upvote and Accept it as an answer–

    2 people found this answer helpful.
    0 comments No comments

  2. Gary Reynolds 9,621 Reputation points
    2022-03-16T06:05:15.503+00:00

    Hi @Junaid

    Limitless' answer above covers scenario 1 which you have already have configured.

    It will be a little more difficult to meet all the requirements for scenario 2, but I think we can get close.

    As someone else will be pre-staging the computer objects, you can change the delegation rights when the object is create to grant the second group permissions to join the computer to the domain. By creating a new group and specify that group when the computer object is created this will grant the users of the group the ability to join a computer with the same name to the domain.

    183531-create-computer.png

    These are the rights that are assigned to the computer object

    183456-image.png

    However, this method does provide the group members with the ability to delete the computer object, which fails to meet one of your requirements.

    183533-image.png

    To overcome this you will need to assign the permissions manually to the OU structure that contains the computer objects. Note: By restricting these permissions you are also preventing the users from moving the computer objects to a different OU.

    You will need to assign the following permissions, all of which will be inherited by descendant computer objects. I've provided these are dsacls commands as the ADUC will not allow you to configure all of these permissions via the UI:

    Change "ou=domain computers,dc=w2k12,dc=local" to your OU and change add_comp to your group

    dsacls "ou=domain computers,dc=w2k12,dc=local" /G "add_comp:WP;logon information;computer" /I:S  
    dsacls "ou=domain computers,dc=w2k12,dc=local" /G "add_comp:WP;description;computer" /I:S  
    dsacls "ou=domain computers,dc=w2k12,dc=local" /G "add_comp:WP;displayname;computer" /I:S  
    dsacls "ou=domain computers,dc=w2k12,dc=local" /G "add_comp:WP;description;computer" /I:S  
    dsacls "ou=domain computers,dc=w2k12,dc=local" /G "add_comp:WP;samaccountname;computer" /I:S  
    dsacls "ou=domain computers,dc=w2k12,dc=local" /G "add_comp:WS;Validated write to service principal name;computer" /I:S  
    dsacls "ou=domain computers,dc=w2k12,dc=local" /G "add_comp:WS;Validated write to dns host name;computer" /I:S  
    dsacls "ou=domain computers,dc=w2k12,dc=local" /G "add_comp:WP;account restrictions;computer" /I:S  
    dsacls "ou=domain computers,dc=w2k12,dc=local" /G "add_comp:LCLORPRC;;computer" /I:S  
    

    These are the permissions that will be assigned to OU:

    183572-image.png

    The only issue I can see with these permissions, is that we have removed the rights to change the 'Permissions' of the computer objects, which might be required during the domain join to update the permissions of the object.

    If the domain join fails with these permissions, then I would change the last line to 'LCLORPRCWD' and run the command again. While this change doesn't give the user the right to delete the object, it does allow them to change their rights, so they could change their permissions to allow them to delete the computer object.

    If the domain join still fails with these permissions, review the netsetup.log for more details on the failure.

    Gary.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.