In this post I am going to delegate control in Active Directory to a user so that it can add computers to a domain.
First of all,
The user I created is called DomJoin and in this article I will solely give this user permissions to add computer objects to the domain, as this is account will be used as a service account to add computers to the domain during SCCM OSD, within scope of the articles I’ve been publishing about installing SCCM.
How to Delegate Control
I will be delegating control over the default “Computers” container in Active Directory.
Open “Active Directory Users and Computers”. Right-click over the “Computers” container and select “Delegate Control…”.
Press “Next” at the Wizard welcome window. At the next window press “Add”.
Select the user that you wish to delegate the control to and press “OK”. Press “Next” at the next screen.
Choose “Create a custom task to delegate” and press “Next”.
Now select “”Only the following objects in the folder:”, check “Computer objects”, “Create selected objects in the folder”. Press “Next”.
On the next screen check “Property-specific” and “Read All Properties”. You have to select something here because the wizard doesn’t let you go through if you don’t, so we’re safe if we check only the “Read All Properties”. Click “Finish” at the next screen and we’re done. You should be able to add computers to the domain with the specified account.
Testing it at a computer:
Remember that, to add or remove a computer from a domain, you’ll need to use an account that have administrative rights at the client computer, besides being able to manage computer objects in the domain. Having that in mind, what I usually do is to create a group of users, usually the Support Team, and add this group of users as local administrators at the client computers. If you’d like to know how to do that, please read about it here.
As always, if you found this article useful, share it with your friends.
If you have any questions or suggestions, leave your comment.
Thank you for reading!