Announcement

Collapse
No announcement yet.

Joining a computer to a domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Joining a computer to a domain

    What is the exact permission needed to join a computer to a domain? I mean, if there is already a computer object in AD for PC1, and you want to join PC1 to the domain, which exact permission(s) will the user need to do so?

    I know that the NewObject - Computer wizard over-delegates, so I want to know the exact permission(s). I am btw thinking of joining a computer to a domain, and not creating a computer object in an OU, or is the permission used to perform both tasks the same (create computer objects)?

  • #2
    Re: Joining a computer to a domain

    The permissions are not the same for creating computer accounts then joining them.

    If you want to provide a group of individuals with the ability to join computers to the domain after the account has been created, you can at the OU level, give permissions to a security group by accessing the OU's security tab, advanced, add the group, properites, go to the Properties tab, apply to Descendant Computer Objects, Read/Write all properties.

    that should do it.
    JM @ IT Training & Consulting
    http://www.itgeared.com

    Comment


    • #3
      Re: Joining a computer to a domain

      Thanks. I guess it's hard to say exactly what permission(s) (of those properties permissions) are needed.

      Comment


      • #4
        Re: Joining a computer to a domain

        In the properties tab, there is a Read All Properties attribute and also a Write All Properties attribute. Enable both.
        JM @ IT Training & Consulting
        http://www.itgeared.com

        Comment


        • #5
          Re: Joining a computer to a domain

          Will you be using a specific account to add systems to the domain??

          Comment


          • #6
            Re: Joining a computer to a domain

            Originally posted by [JM] View Post
            In the properties tab, there is a Read All Properties attribute and also a Write All Properties attribute. Enable both.
            Yes, but does one really need to have the permissions to read and write ALL properties? Perhaps there are just a few of them that are needed. But I'm guessing that in the real world, if you want to delgate this task to someone, you just give them the create computer objects permission on the OU, where the computer accounts are located?


            Originally posted by wullieb1 View Post
            Will you be using a specific account to add systems to the domain??
            No, I just wanted to know how this task is delegated in the real world. Especially since MS discourages you from using the option in the new computer object wizard, because it over-delegates, and one don't use that wizard when creating many (lets say 50 f. ex.) computer objects anyway.

            Comment


            • #7
              Re: Joining a computer to a domain

              Isnt there a "join computer to domain" user right -- just assign that via GPO and you will get appropriate permissions
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Joining a computer to a domain

                Originally posted by Ossian View Post
                Isnt there a "join computer to domain" user right -- just assign that via GPO and you will get appropriate permissions
                Perhaps you are thinking of the "Add workstations to domain" user right, that must be set on a DC, to be able to create computer objects in the domain?

                Comment


                • #9
                  Re: Joining a computer to a domain

                  Yes, that is the correct name for it. It is set via a GPO and allows the specified users or groups to add workstations, therefore it must grant the relevant permissions. The user does not need direct access to a DC, just to the computer they are adding

                  What is the problem with using it?
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: Joining a computer to a domain

                    Ossian, I would agree with your suggestion. However, I think that Balthier is looking for the exact custom permissions (for some reason) no more/no less to join a computer to the domain.
                    JM @ IT Training & Consulting
                    http://www.itgeared.com

                    Comment


                    • #11
                      Re: Joining a computer to a domain

                      These are the requiered permissions to add a computer to the domain. They work because we use an account with these permissions to add PC's that are imaged using MDT

                      1.Open the Active Directory Users and Computers console.
                      2.Select the View menu, then toggle on Advanced Features.
                      3.Create an organizational unit (for example DeployedComputers) that will contain the computer accounts of newly deployed computers. (This way you won't have to modify the permissions on the default Computers container.)
                      4.Open the properties of the DeployedComputers OU and select the Security tab.
                      5.Click Advanced to open the Advanced Security Settings dialog for the OU.
                      6.Click Add and add an ACE for your mdt_join account to the ACLs for this OU.
                      7.In the Permission Entry dialog, assign Allow permissions (with scope set to This Object And All Descendant Objects) as follows:
                      Create computer objects
                      Delete computer objects
                      8.Click OK, then click Add again and add a second ACE for your mdt_join account that assigns Allow permissions (with scope set to Descendant Computer Objects) as follows:
                      Read all properties
                      Write all properties
                      Read permissions
                      Write permissions
                      Change password
                      Reset password
                      Validated write to DNS host name
                      Validated write to service principal name
                      9.Click OK repeatedly to close all open dialogs.

                      Comment


                      • #12
                        Re: Joining a computer to a domain

                        Wullieb1, do you hav to carry out both step 7 and 8? I'll try it in a lab.

                        Originally posted by Ossian View Post
                        Yes, that is the correct name for it. It is set via a GPO and allows the specified users or groups to add workstations, therefore it must grant the relevant permissions. The user does not need direct access to a DC, just to the computer they are adding

                        What is the problem with using it?
                        But the GPO with that user right must be applied to the Domain Controllers OU, or an OU where one or more DCs reside, right?


                        Originally posted by [JM] View Post
                        Ossian, I would agree with your suggestion. However, I think that Balthier is looking for the exact custom permissions (for some reason) no more/no less to join a computer to the domain.
                        The reason is the 70-640 exam. I just figured I might be asked a question about it on the exam, but it does not seem likely ,as I am not able to find the exact permission(s), and I have not encountered that question in any of the practice exams.

                        Comment


                        • #13
                          Re: Joining a computer to a domain

                          Originally posted by Balthier View Post
                          The reason is the 70-640 exam. I just figured I might be asked a question about it on the exam, but it does not seem likely ,as I am not able to find the exact permission(s), and I have not encountered that question in any of the practice exams.
                          Even if the reason was just purely due to curiosity...its valid and a good exercise. Understanding how permissions work will empower you to properly delegate permissions in the directory so that you do not give more rights and permissions than necessary. This is a good practice.

                          This issue is that the custom permissions you are asking about is not well documented. Furthermore, certain built-in groups already have the rights needed to perform the actions you are requesting, and these rights already exist and can be easily granted. Therefore, most administrators balance the fact that they have a vehicle to use to provide rights and permissions vs. how much time it takes to get more granular.

                          The best thing you can do is just try it in a lab. Post your results so that others can learn from your experience.
                          JM @ IT Training & Consulting
                          http://www.itgeared.com

                          Comment


                          • #14
                            Re: Joining a computer to a domain

                            Originally posted by Balthier View Post

                            But the GPO with that user right must be applied to the Domain Controllers OU, or an OU where one or more DCs reside, right?
                            No, it would be applied to the OU with the users in it
                            Tom Jones
                            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                            PhD, MSc, FIAP, MIITT
                            IT Trainer / Consultant
                            Ossian Ltd
                            Scotland

                            ** Remember to give credit where credit is due and leave reputation points where appropriate **

                            Comment


                            • #15
                              Re: Joining a computer to a domain

                              Originally posted by Balthier View Post
                              Wullieb1, do you hav to carry out both step 7 and 8? I'll try it in a lab.
                              Yes you do. That is where the permissions are set.

                              Comment

                              Working...
                              X