Solved

Mini per to join computers to domain

Posted on 2015-01-27
4
255 Views
Last Modified: 2015-01-28
Hello Expert,
I have a temporary person technician that comes in once in a while to do work for us.I want to assign him with the permission to join computers into our domain and remove the computers from our domain, no other access rights.
I use windows 2008 Domain Controller.

This is what I've done so far...
1 - created a user account for the technician.
2 - On the top domain name in Active Directory i right click and selected Delegation control wizard and Added that user into the delegate control.
3 - From the Delegate common tasks i selected only "Join a computer to the domain"
4- finish

I have tested the above configuration and came to understand that the user is not able to join computers into the domain,This is where I'm stuck... I want to know what else permissions i needed to assign to this user so that he can only join computers into our domain and Absolutely no other permissions

Waiting for your support.
Thank you.
0
Comment
Question by:smpvm
  • 2
  • 2
4 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40574784
There's a few extra permissions you need to enable. You also need to use the delegate control wizard on the Computers container as this is where the computer object gets created when a machine joins the domain.

- In Active Directory Users and Computers, right click on the Computers container and then click Delegate Control..
- Click Add to add the account you created for your technician
- Select Create a custom task to delegate in the next window
- Select Only the following objects in the folder then tick the Computer objects box in the list
- Tick both the Create selected objects in this folder and Delete selected objects in this folder boxes
 
- In the next window tick these options under Show these permissions:
- General
- Property-specific
- In the Permissions box tick these options:
- Reset Password
- Read and write account restrictions
- Validated write to DNS host name
- Validated write to service principal name
Delegate-Control---Permissions-1.pngDelegate-Control---Permissions-2.png- Click Next then Finish when done
- Now try joining a computer to the domain
0
 

Author Comment

by:smpvm
ID: 40574950
Hello VB ITS,

You are the real Expert, perfect. It is working fine. Everyone happy with my solution infact the credit goes to you :)

Regards
0
 

Author Closing Comment

by:smpvm
ID: 40574951
Best solution
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40574960
Thanks smpvm! Happy to help :)
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question