Solved

Mini per to join computers to domain

Posted on 2015-01-27
4
256 Views
Last Modified: 2015-01-28
Hello Expert,
I have a temporary person technician that comes in once in a while to do work for us.I want to assign him with the permission to join computers into our domain and remove the computers from our domain, no other access rights.
I use windows 2008 Domain Controller.

This is what I've done so far...
1 - created a user account for the technician.
2 - On the top domain name in Active Directory i right click and selected Delegation control wizard and Added that user into the delegate control.
3 - From the Delegate common tasks i selected only "Join a computer to the domain"
4- finish

I have tested the above configuration and came to understand that the user is not able to join computers into the domain,This is where I'm stuck... I want to know what else permissions i needed to assign to this user so that he can only join computers into our domain and Absolutely no other permissions

Waiting for your support.
Thank you.
0
Comment
Question by:smpvm
  • 2
  • 2
4 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40574784
There's a few extra permissions you need to enable. You also need to use the delegate control wizard on the Computers container as this is where the computer object gets created when a machine joins the domain.

- In Active Directory Users and Computers, right click on the Computers container and then click Delegate Control..
- Click Add to add the account you created for your technician
- Select Create a custom task to delegate in the next window
- Select Only the following objects in the folder then tick the Computer objects box in the list
- Tick both the Create selected objects in this folder and Delete selected objects in this folder boxes
 
- In the next window tick these options under Show these permissions:
- General
- Property-specific
- In the Permissions box tick these options:
- Reset Password
- Read and write account restrictions
- Validated write to DNS host name
- Validated write to service principal name
Delegate-Control---Permissions-1.pngDelegate-Control---Permissions-2.png- Click Next then Finish when done
- Now try joining a computer to the domain
0
 

Author Comment

by:smpvm
ID: 40574950
Hello VB ITS,

You are the real Expert, perfect. It is working fine. Everyone happy with my solution infact the credit goes to you :)

Regards
0
 

Author Closing Comment

by:smpvm
ID: 40574951
Best solution
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40574960
Thanks smpvm! Happy to help :)
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question