Solved

Mini per to join computers to domain

Posted on 2015-01-27
4
254 Views
Last Modified: 2015-01-28
Hello Expert,
I have a temporary person technician that comes in once in a while to do work for us.I want to assign him with the permission to join computers into our domain and remove the computers from our domain, no other access rights.
I use windows 2008 Domain Controller.

This is what I've done so far...
1 - created a user account for the technician.
2 - On the top domain name in Active Directory i right click and selected Delegation control wizard and Added that user into the delegate control.
3 - From the Delegate common tasks i selected only "Join a computer to the domain"
4- finish

I have tested the above configuration and came to understand that the user is not able to join computers into the domain,This is where I'm stuck... I want to know what else permissions i needed to assign to this user so that he can only join computers into our domain and Absolutely no other permissions

Waiting for your support.
Thank you.
0
Comment
Question by:smpvm
  • 2
  • 2
4 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40574784
There's a few extra permissions you need to enable. You also need to use the delegate control wizard on the Computers container as this is where the computer object gets created when a machine joins the domain.

- In Active Directory Users and Computers, right click on the Computers container and then click Delegate Control..
- Click Add to add the account you created for your technician
- Select Create a custom task to delegate in the next window
- Select Only the following objects in the folder then tick the Computer objects box in the list
- Tick both the Create selected objects in this folder and Delete selected objects in this folder boxes
 
- In the next window tick these options under Show these permissions:
- General
- Property-specific
- In the Permissions box tick these options:
- Reset Password
- Read and write account restrictions
- Validated write to DNS host name
- Validated write to service principal name
Delegate-Control---Permissions-1.pngDelegate-Control---Permissions-2.png- Click Next then Finish when done
- Now try joining a computer to the domain
0
 

Author Comment

by:smpvm
ID: 40574950
Hello VB ITS,

You are the real Expert, perfect. It is working fine. Everyone happy with my solution infact the credit goes to you :)

Regards
0
 

Author Closing Comment

by:smpvm
ID: 40574951
Best solution
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40574960
Thanks smpvm! Happy to help :)
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question