Granting a Windows Service Account Domain Join Delegated Permissions
In order to join new computers/servers to an Active Directory domain, a user account with domain join permissions must be used to join new prospective computers to said domain. In order to accomplish this, we can configure a user that has delegated control on the computers OU within Active Directory that will allow that service user account the appropriate rights to perform the domain join operation. This tutorial will walk though the process of setting up a service user account, and then delegating permission to perform a domain join with that new non Admin service user account.
1. Active Directory Domain Controller:
In order to perform the following steps, access to an Active Directory Domain Controller (AD DC) is required. All of the steps outlined in this tutorial will be performed on an AD DC.
2. AD Service Account:
The second thing that we will need is a service user account that will be delegated control within AD, allowing the account rights to perform domain join operations. If a service user account already exists, then the next step can be skipped. If there is currently no service user account, or you wish to start with a fresh service user account, then continue following the next section.
Create an AD Service Account
The first step in being able to automate the process of joining a Windows instance to Active Directory is to have a service user account with domain join permissions available. This first part of this tutorial will walk though delegating control to an AD (Active Directory) service account, as to allow the service user account the proper permissions and rights to join new Windows instances to AD. The following steps should be performed on an AD Domain Controller (DC).
1. Add or Verify Service User Account:
The first thing that we will need is to have an available service user account. If a service user account already exists, then we are all set, if not, then a service user account must be created prior to proceeding any further with this tutorial.
2. Add Service User Account:
A new user account can be created by opening Active Directory Users and Computers, from the start menu. In the AD Users and Computers console, right click on the OU (Organizational Unit) where the user will reside, and then select New --> User from the OU right click context menu.
Once selected, a dialog box will appear that will allow you to fill in the user details. Fill in the service user account details, and then click the Next button.
Next, set the service user account password. Once the password and password confirmation have been input, then check the options for User cannot change password and Password never expires. Once selected, then click the Next button.
Finally, review the user details, and once satisfied that the information is accurate, click the Finish button on the bottom of the new user dialog box to create the new service user account.
Domain Join OU Delegation
Now that we have a service account that we can use to join computers to the domain, we need to set proper permissions on the computers OU, to ensure that our new service account has the proper rights to create and delete objects in the Computers OU. To do this, we need to set up a delegation.
1. Delegate Control:
From the Active Directory Users and Computers console, right click on the Computers OU, and from the right click context menu, select Delegate Control.
2. Create New Delegation in the Delegation Wizard:
The Delegation Wizard will now open, to start the wizard, click the Next button.
In the Users or Groups dialog, Click the Add button, and search for service user account we configured earlier, or an existing account that you would prefer to use. Once selected, click Ok to add the account to the **Selected users and groups section of the dialog. Once the service account user has been selected, and shows properly in the dialog box, click the Next button.
Next, in the Tasks to Delegate dialog, select the Create a custom task to delegate option and then click the Next button.
Next, in the Active Directory Object Type dialog, select the option of Only the following objects in the folder, From the list, then also select the Computer Objects from the list of available objects listed in the dialog. Next, on the bottom of the dialog, select the Create selected objects in this folder and Delete selected objects in this folder check box's. Once your selections have been made, click the Next button.
Next, in the Permissions dialog, select both of the General and Creation/Deletion of specific child objects options from the Show these permissions section. Next, Under the permissions section, select both of the Create All Child Objects and Delete All Child Objects options. Once selected, click the Next button.
Last on the Completing the Delegation of Control Wizard dialog, click the Finish button to complete the wizard.
In your Active Directory Domain Controller, open Active Directory Users and Computers. From the main console, right click on the Computers OU, and click Properties. In the properties dialog window, click on the Security tab, and from the Group or user names: section, find the user that was granted delegation to that OU, and click the Remove button. Once removed, Click OK to close the dialog. At this point, you can also click on the Users OU, and delete the user.
By following the steps above, proper delegation should be proplery configured for the new service account that we just created. The user who now has delegated authority to perform operatons such as an Active Directory DomainJoin operation should successfully be able to add new computer objects to the Domain, without any further permission elevation, and while still maintaining any restrictions applied to the account.
No Additional Resources.
No Addtional References