delegating rights to computer accounts to create objects in Active Directory

cmatchett
cmatchett used Ask the Experts™
on
Hey,

Is it possible to delegate rights to computer accounts to create objects in Active Directory.   Looking at a particular automation scenario....
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Yes you can delegate rights to a computer. I am not sure when you would want to do this (for creating users) but you can in fact provide computers specific ACL's as well just like you can with Users or Groups.

Will.

Author

Commented:
thanks for the quick response.  I have never come across any technical documentation that advises than you can use computer accounts to perform actions against AD
I was just about to type no, but Will has thrown me there

You can't do it via the delegation of control wizard as it is only users and groups there so it must be at the ACL level....I need to go find a DC and take a look!
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
hey dleaver,  

when you use the delegation of control wizard, you can choose individual computer accounts.  Whether or not this works when u use computer accounts is another story.
So you can (just didn't adjust the lookup to include computers), you can also apply the permissions manually through the ACL tab on the OU - But I don't have capacity to check this right now to see if this actually grants the rights expected.

Author

Commented:
how would you go about testing this?
Tricky, couple of options spring to mind...

Install RSAT tools for AD on the computer you want to have delegated rights.  Delegate the permissions through the wizard to the computer or manually as required (potential reboot required)
Login in as a non-admin user and see if the delegated rights work from that PC....seems unlikely.

Alternatively use DS tools with the -u switch accompanied by the name of the Computer (potentially computer$) - I imagine this would work more as a scripted task with the computer object as the authorised object

Not sure whether any further delegation may be need to be applied on the computer object itself (such as trusting it for delegation like you would for other services)

Comes down to what you are using this for...
Distinguished Expert 2018

Commented:
"how would you go about testing this" - easy.
Delegate the permissions to computer account "test".
Logon to test as local admin.
Download and extract pstools (microsoft freeware) to c:\pstools
Open an elevated command prompt and enter: psexec -s -i cmd
-a new shell opens with system rights, you now act as the computer-
now launch: net user /add testuser testpw /domain
(Of course this will only work if you have set these permission on the container "computers" in AD which is the default container for new accounts)
See if it got created there.

Author

Commented:
ok - thanks for this.  will give it a test
apologies for the delay, was about to test with the above and realized to myself why i wasn't testing with the actual automation solution.  Tested and it worked.

Author

Commented:
ended up testing with the actual automation solution

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial