In this guide we’ll go through the steps to allow a domain user, to add a computer to the domain. This can be nice in scenarios where some of the preparation for a PC is done by office staff, or if there are branch offices that need to re-join after resetting a PC and so-on.
An authenticated user, has by default the right to join up to 10 computers to the domain. After exceeding this limit the user will recieve an error message.
To get around this we can delegate the right to Create Computer Objects in Active Directory. This ensures that there is no restriction on number of computer objects that the user with this delegation right can add to the domain.
The best way of achieving this is by delegating control to a “Security Group” that we create in “Active Directory”
Delegating rights to User/Group with Active Directory Users and Computers
So open up Active Directory Users and Computers and create a Security Group that we will delegate control to, for this example we have created a group called “RL_Join_Domain”
Now we have to also choose the container that this group can add computers to for this example we have a “Computers”-container in our “domain“.
This opens up the Delegation of Control Wizard. Hit Next.
To add a user or group hit Add. Once you are done hit Next.
Tasks to Delegate – Hit Create a custom task to delegate. Hit Next.
Choose Only the following objects in the folder and mark the checkbox Computer Objects. Mark the checkbox Create selected objects in this folder. Hit Next.
Permissions – Mark “General” and “Creation/deletion of specific child objects” and mark “Create All Child Objects”. Hit Next.
You’ve now delegated control to join computers to the domain to the security group called RL_Join_Domain.
Now we are going to test to see if it actually works:
We added a test user to the “RL_Join_Domain“-group.
The user is a normal “Domain User” with membership in the “RL_Join_Domain“-group
We test this on a Windows 10 VM, that has previously joined ten Computer Objects to the domain, making this attempt eleven.
We are going to
Delegate permissions to a security group so that they can modify the “Manager”-field in Active Directory.
Stay tuned, and as always if you have suggestions for articles or topics you’d like to be brought up in the future leave a comment or tweet me at @UlvBjornsson