Link to home
Create AccountLog in
Avatar of cmatchett
cmatchettFlag for United Kingdom of Great Britain and Northern Ireland

asked on

delegating rights to computer accounts to create objects in Active Directory


Is it possible to delegate rights to computer accounts to create objects in Active Directory.   Looking at a particular automation scenario....
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Yes you can delegate rights to a computer. I am not sure when you would want to do this (for creating users) but you can in fact provide computers specific ACL's as well just like you can with Users or Groups.

Avatar of cmatchett


thanks for the quick response.  I have never come across any technical documentation that advises than you can use computer accounts to perform actions against AD
I was just about to type no, but Will has thrown me there

You can't do it via the delegation of control wizard as it is only users and groups there so it must be at the ACL level....I need to go find a DC and take a look!
hey dleaver,  

when you use the delegation of control wizard, you can choose individual computer accounts.  Whether or not this works when u use computer accounts is another story.
So you can (just didn't adjust the lookup to include computers), you can also apply the permissions manually through the ACL tab on the OU - But I don't have capacity to check this right now to see if this actually grants the rights expected.
how would you go about testing this?
Tricky, couple of options spring to mind...

Install RSAT tools for AD on the computer you want to have delegated rights.  Delegate the permissions through the wizard to the computer or manually as required (potential reboot required)
Login in as a non-admin user and see if the delegated rights work from that PC....seems unlikely.

Alternatively use DS tools with the -u switch accompanied by the name of the Computer (potentially computer$) - I imagine this would work more as a scripted task with the computer object as the authorised object

Not sure whether any further delegation may be need to be applied on the computer object itself (such as trusting it for delegation like you would for other services)

Comes down to what you are using this for...
"how would you go about testing this" - easy.
Delegate the permissions to computer account "test".
Logon to test as local admin.
Download and extract pstools (microsoft freeware) to c:\pstools
Open an elevated command prompt and enter: psexec -s -i cmd
-a new shell opens with system rights, you now act as the computer-
now launch: net user /add testuser testpw /domain
(Of course this will only work if you have set these permission on the container "computers" in AD which is the default container for new accounts)
See if it got created there.
ok - thanks for this.  will give it a test
Avatar of cmatchett
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ended up testing with the actual automation solution