Delegate Control in Active Directory – Managing Computer Objects

In this post I am going to delegate control in Active Directory to a user so that it can add computers to a domain.

First of all,

The user

The user I created is called DomJoin and in this article I will solely give this user permissions to add computer objects to the domain, as this is account will be used as a service account to add computers to the domain during SCCM OSD, within scope of the articles I’ve been publishing about installing SCCM.

How to Delegate Control

I will be delegating control over the default “Computers” container in Active Directory.

Open “Active Directory Users and Computers”. Right-click over the “Computers” container and select “Delegate Control…”.

Delegate Control in Active Directory

Press “Next” at the Wizard welcome window. At the next window press “Add”.

Delegate Control in Active Directory

Select the user that you wish to delegate the control to and press “OK”. Press “Next” at the next screen.

Delegate Control in Active Directory

Choose “Create a custom task to delegate” and press “Next”.

Delegate Control in Active Directory

Now select “”Only the following objects in the folder:”, check “Computer objects”, “Create selected objects in the folder”. Press “Next”.

Delegate Control in Active Directory

On the next screen check “Property-specific” and “Read All Properties”. You have to select something here because the wizard doesn’t let you go through if you don’t, so we’re safe if we check only the “Read All Properties”. Click “Finish” at the next screen and we’re done. You should be able to add computers to the domain with the specified account.

Delegate Control in Active Directory

Testing it at a computer:

Delegate Control in Active Directory

Conclusive note

Remember that, to add or remove a computer from a domain, you’ll need to use an account that have administrative rights at the client computer, besides being able to manage computer objects in the domain. Having that in mind, what I usually do is to create a group of users, usually the Support Team, and add this group of users as local administrators at the client computers. If you’d like to know how to do that, please read about it here.

As always, if you found this article useful, share it with your friends.

If you have any questions or suggestions, leave your comment.

Thank you for reading!

2 thoughts on “Delegate Control in Active Directory – Managing Computer Objects

  • Saturday June 10th, 2017 at 08:52 AM

    Wonderful blog you have here but I was curious if you knew of any community forums that cover the
    same topics discussed in this article? I’d really like to be a
    part of online community where I can get advice from other knowledgeable
    people that share the same interest. If you have any recommendations, please let me know.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use the site, you are agreeing to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" then you are consenting to this. To know more please read here our Privacy Policy