Introduction

When working as an IT administrator and delegating security access to users, always follow the “Principle of least privilege.” This term means that you should only give users the minimum amount of access required for a specific task.

The easiest way to add computers to a domain is by using a domain administrator account, but that adds some obvious security concerns.

In this blog post, I explain the minimum permissions required for a domain account to join a computer to an Active Directory domain and delegate these permissions in AD.

What delegated rights in Active Directory are required?

To allow a user to add computer join a computer to an Active Directory domain, the user requires the privilege:
join computer to AD domain.

It requires the following permissions in Active Directory to join a computer to the domain:

  • Create computer objects
  • Delete computer objects

Delegate domain join rights to a user in Active Directory

Delegating domain join access is a simple task in Windows Server using the Delegation of Control wizard.

Here’s how you delegate the permissions:

1. Open Active Directory Users & Computers

2. Right-click the desired domain and select Delegate Control

Domain join permissions

3. Press Next on the first screen

4. Press Add

domain join delegation permissions

5. Find the desired AD user or group.

6. Press OK and then press Next

7. Select Join a computer to a domain

8. Press Next and then Finish

Conclusion

You should never delegate more permissions to the user than what they require.

Using the Delegation of Control functionality in Active Directory helps with this task.

How do you delegate tasks to users in Active Directory? Please leave a comment below!

References

Related posts

8 COMMENTS

  1. Can you also help what least privilege access can be granted to our Wintel team to install patches and reboot the server. But shouldn’t be a domain admin or Built in server administrator as it gives unrestricted access

  2. Ideally you would create the Join / Delete permission against a group, and put your ‘User or Team’ into the delegation.

    Additionally you would not put the delegation on the domain, but likely a sub OU for Workstation – where say you want PCs or maybe a separate delegation ( ie Server Joiners ) for the Servers OU.

LEAVE A REPLY

Please enter your comment!
Please enter your name here