11

I want to create an account that will perform the following:

  • Join computers to a domain (not restricted to 10, like a normal user)
  • Check for computer accounts in AD
  • Delete computers from AD
  • Move computers between OUs

I don't want to allow it to do anything else, so don't want a domain admin account.

Can anyone guide me in the right direction in terms of permissions? Not sure if I should be using delegation of control wizard?

Cheers,

Ben

Ben
  • 1,107
  • 9
  • 26
  • 44

4 Answers4

13

I actually had to set this up for myself recently. We have some custom code that does computer prestaging for new computers when they PXE boot and runs as a service account.

  • Check for computer accounts in AD

Any user in the Domain Users group should be able to do this out of the box without any additional permissions unless you've changed default permissions in places or added Deny ACLs on things.

  • Join computers to a domain (not restricted to 10, like a normal user)
  • Delete computers from AD
  • Move computers between OUs

For these, you first have to decide where you want this access to be given. It's easy to just grant permissions at the root of the domain, but not terribly wise. Usually, you have an OU or set of OUs where computer accounts live. So you should apply the following permissions to those containers specifically. Permissions to join a computer to the domain just requires the ability to create a computer account and set it's properties. Moving a computer between OUs requires the ability to delete the account from one place and create it in another. All that said, here's what permissions you need to grant on each OU:

  • This object and all descendants
    • Create Computer objects
    • Delete Computer objects
  • Descendant Computer objects
    • Read all properties
    • Write all properties
    • Change password
    • Reset password
    • Validated write to DNS host name
    • Validated write to service principal

I also have an additional bit of advice. Don't grant these permissions to the service account directly. Create a group like Computer Admins and make the service account a member of that group. Then, grant the permissions to the group. That way if you have additional people or service accounts that need the same permissions, you only need to modify the group's membership.

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
4

Create a group like "computer admins" then open Active Directory Users & Computers MMC snap-in right click on OU where you want them to give rights, if you want give them rights over whole domain then right click on domain name, select delegate control option.

in the resulting wizard select the group you created earlier "computer admins" click next then click Create a Custom Task to delegate then click next.

then select "only the following objects in the folder" then tick "computer objects" from list and also tick the two boxes at the bottom. "create selected object in folder" and "delete selected object in folder" click next.

On the next screen select "Full control" from the list then click next

next screen will show you summary of delegation then click finish.

once done, add one of the users into "computer admins" group and try to carry out various task you want.

KAPes
  • 994
  • 4
  • 12
1

Yes, you should be using delegation of control. While I could go through and explain step by step how to do this, there's an easier solution. Download and install ADManagerPlus from ManageEngine and use their AD Delegation tool to set things up for yourself. They have predefined Help Desk roles that you can use to grant the appropriate access to the users in question. Look into the Modifiy Computers role as I believe that's what you're looking for.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
1

You can create a specific "Taskpad" mmc for them to use, like here: http://www.petri.co.il/create_taskpads_for_ad_operations.htm

Basically its a customized version of MMC, that is locked to using certain controls, like, creating users, creating computers etc. Depending on the delegation settings/permissions, determines what they can do from there.

Grizly
  • 2,053
  • 15
  • 20
  • 1
    Good suggestion, but it doesn't restrict what they have access to using other tools or methods. If they install the admin pack and launch ADUC they'll have access to everything unless you use delegation of control with the proper type of user account. Security through obscurity shouldn't be the only safety mechanism in use. – joeqwerty May 27 '10 at 23:44
  • you can set permissions on the ldap tree using aduc (use "View -> advanced features" and you can see the security tab on OU's etc) so that regular users cannot change settings/things.. they can only view them. However, if you plan on delegating tasks to an employee, one would hope you trust them – Grizly Jun 03 '10 at 06:53