6

I'm a linux admin by trade, and my new job has me managing windows servers.

I'm trying to create a windows server 2012 base image using packer. As part of the provisioning, the VM needs to be connected to active directory via a script. Obviously I don't want to put my personal password into the script.

Is it possible to create a user in Active Directory who has rights to bind a machine to AD, but can't perform any other actions (for compliance)?

spuder
  • 1,695
  • 2
  • 25
  • 42

2 Answers2

7

Ordinarily, each and every Active Directory user can add up to 10 computer accounts to a domain, without the need to be a domain administrator; however, this behavior can be customized by domain policies, thus it might not be your case; and even if it was, you'd run into a problem as soon as the same user account needs to be used to add an 11th computer.

The proper way to go is to grant to this user account the special permission "Create Computer Objects" on the "Computers" container in Active Directory (where new computers are added by default), and/or on any other OU where new computers could be added (although is a bit more difficult to add them somewhere in the directory outside the default "Computers" container).

https://technet.microsoft.com/en-us/library/cc780195(v=ws.10).aspx

Massimo
  • 68,714
  • 56
  • 196
  • 319
1

Sure, create your account, don't join it to any groups and put it somewhere in AD where it won't get any rights assigned by group policy. By default authenticated users can join computers to the domain, if this has been changed, you'll need to make sure your account is granted the Add workstations to the domain right via group policy. This is in Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. You can also do it by giving the account permissions on the OU where you want the computer placed. To do that grant the account the Create Computer objects permission on the OU you want it to use.

E-Rock
  • 499
  • 3
  • 6
  • Note: while it's true that GPOs can influence user rights, they usually do this by affecting the computers they are applied to; the actual position in the directory of the user account to which they are granting something is completely irrelevant. A user account will never "get rights assigned by group policy" based on its AD location. – Massimo Feb 05 '15 at 18:53
  • The OP wants to make sure the account "can't perform any other actions (for compliance)." The placement of the account will matter, depending on what else they are doing. You can have scripts that process OUs for inclusion into lists or to grant access. – E-Rock Feb 05 '15 at 19:24
  • A startup script would act on a COMPUTER, not on an USER ACCOUNT. Permissions act on OUs and the objects they contain. GPOs act on COMPUTERS by changing which right someone has on them. Security rights are granted to GROUPS, not OUs. You can of course do anything you want, you could theoretically query AD to look up user accounts in a given OU and do something for/on/with them; but that would be an excruciatingly unusual and awful way to manage your domain. – Massimo Feb 05 '15 at 21:33
  • 1
    You keep missing the compliance part of the requirement. You want to be able to tell your auditor that there's 'no way' this account can do anything else. By putting it somewhere special, you can say that. If you put it with other user accounts, you leave it open to getting swept up in other activities. – E-Rock Feb 05 '15 at 21:42
  • And you keep not getting the point about how Active Directory actually *works*. – Massimo Feb 05 '15 at 22:01