How To Delegate Permissions to Allow a User to Join a Computer to an AD Domain

Introduction

When working as an IT administrator and delegating security access to users, always follow the “Principle of least privilege.” This term means that you should only give users the minimum amount of access required for a specific task.

The easiest way to add computers to a domain is by using a domain administrator account, but that adds some obvious security concerns.

In this blog post, I explain the minimum permissions required for a domain account to join a computer to an Active Directory domain and delegate these permissions in AD.

What delegated rights in Active Directory are required?

To allow a user to add computer join a computer to an Active Directory domain, the user requires the privilege:
join computer to AD domain.

It requires the following permissions in Active Directory to join a computer to the domain:

• Create computer objects
• Delete computer objects

Delegate domain join rights to a user in Active Directory

Delegating domain join access is a simple task in Windows Server using the Delegation of Control wizard.

Here’s how you delegate the permissions:

1. Open Active Directory Users & Computers

2. Right-click the desired domain and select Delegate Control

3. Press Next on the first screen

4. Press Add

5. Find the desired AD user or group.

6. Press OK and then press Next

7. Select Join a computer to a domain

8. Press Next and then Finish

Conclusion

You should never delegate more permissions to the user than what they require.

Using the Delegation of Control functionality in Active Directory helps with this task.

How do you delegate tasks to users in Active Directory? Please leave a comment below!

References

• Microsoft Docs – Delegate control Active Directory

Related posts

• Add users to Active Directory using a CSV file
• How to use nltest to determine Active Directory site used by client
• Powershell script to add users to an AD group using alternate credentials