When working as an IT administrator and delegating security access to users, always follow the “Principle of least privilege.” This term means that you should only give users the minimum amount of access required for a specific task.
The easiest way to add computers to a domain is by using a domain administrator account, but that adds some obvious security concerns.
In this blog post, I explain the minimum permissions required for a domain account to join a computer to an Active Directory domain and delegate these permissions in AD.
What delegated rights in Active Directory are required?
To allow a user to add computer join a computer to an Active Directory domain, the user requires the privilege:
join computer to AD domain.
It requires the following permissions in Active Directory to join a computer to the domain:
- Create computer objects
- Delete computer objects
Delegate domain join rights to a user in Active Directory
Delegating domain join access is a simple task in Windows Server using the Delegation of Control wizard.
Here’s how you delegate the permissions:
1. Open Active Directory Users & Computers
2. Right-click the desired domain and select Delegate Control
3. Press Next on the first screen
4. Press Add
5. Find the desired AD user or group.
6. Press OK and then press Next
7. Select Join a computer to a domain
8. Press Next and then Finish
You should never delegate more permissions to the user than what they require.
Using the Delegation of Control functionality in Active Directory helps with this task.
How do you delegate tasks to users in Active Directory? Please leave a comment below!
- Add users to Active Directory using a CSV file
- How to use nltest to determine Active Directory site used by client
- Powershell script to add users to an AD group using alternate credentials
Daniel, can this delegation of control be used to delegate to a security group instead of an individual, or must it always be a user only?
Yes, you can use the method to delegate to a security group instead of a user. I have updated the blog post to reflect this. Thanks!
Thanks a lot, Daniel!
No problem, thanks for commenting Marat!
I followed but it doesn’t work, it shows access deny message.
Can you also help what least privilege access can be granted to our Wintel team to install patches and reboot the server. But shouldn’t be a domain admin or Built in server administrator as it gives unrestricted access
Ideally you would create the Join / Delete permission against a group, and put your ‘User or Team’ into the delegation.
Additionally you would not put the delegation on the domain, but likely a sub OU for Workstation – where say you want PCs or maybe a separate delegation ( ie Server Joiners ) for the Servers OU.
Daniel, is it possible to delegate domain join on an Azure AD DS setup for a service account?