Allow Domain User To Add Computer to Domain

In this guide we’ll go through the steps to allow a domain user, to add a computer to the domain. This can be nice in scenarios where some of the preparation for a PC is done by office staff, or if there are branch offices that need to re-join after resetting a PC and so-on.

An authenticated user, has by default the right to join up to 10 computers to the domain. After exceeding this limit the user will recieve an error message.

To get around this we can delegate the right to Create Computer Objects in Active Directory. This ensures that there is no restriction on number of computer objects that the user with this delegation right can add to the domain.

The best way of achieving this is by delegating control to a “Security Group” that we create in “Active Directory”

Delegating rights to User/Group with Active Directory Users and Computers

So open up Active Directory Users and Computers and create a Security Group that we will delegate control to, for this example we have created a group called “RL_Join_Domain”

2017-05-08_12-22-41.png

Now we have to also choose the container that this group can add computers to for this example we have a “Computers”-container in our “domain“.

delegatecontrol.png

This opens up the Delegation of Control Wizard. Hit Next.

2017-05-08_12-30-50.png

To add a user or group hit Add. Once you are done hit Next.

dele.png

Tasks to Delegate – Hit Create a custom task to delegate. Hit Next.

delecustomtask.png

Choose Only the following objects in the folder and mark the checkbox Computer Objects. Mark the checkbox Create selected objects in this folder. Hit Next.

deleobj.png

Permissions – Mark “General” and “Creation/deletion of specific child objects” and mark “Create All Child Objects”. Hit Next.

2017-05-08_12-47-44.png

Hit Finish.

2017-05-08_12-49-32.png

You’ve now delegated control to join computers to the domain to the security group called RL_Join_Domain.

Now we are going to test to see if it actually works:

We added a test user to the “RL_Join_Domain“-group.

2017-05-08_13-05-37.png

The user is a normal “Domain User” with membership in the “RL_Join_Domain“-group

2017-05-08_13-07-15.png

We test this on a Windows 10 VM, that has previously joined ten Computer Objects to the domain, making this attempt eleven.

2017-05-08_13-10-05.png

 

Success!

succ.png

Next up!

We are going to

Delegate permissions to a security group so that they can modify the “Manager”-field in Active Directory.

Stay tuned, and as always if you have suggestions for articles or topics you’d like to be brought up in the future leave a comment or tweet me at @UlvBjornsson

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s