locked
Add full control to computer object RRS feed

  • Question

  • Morning,

    I have a script that adds a machine to the domain and then sets access to that computer object with a username and all is well except I fell victim to having to be a Domain Admin because I am using the set-acl command/

    How can I get around this?

    If I have a username of user1

    and a computer name of computer1

    in an ou of  "OU=computers,DC=testdomain,DC=com

    what is the simplest way to assign user1 full control of the machine computer1

    Thanks in advance…

    Tuesday, April 10, 2018 10:36 AM

Answers

All replies

  • There is no need to do this.  Why do you think a normal user needs full control over any AD object?  This does not allow a user to be an admin on a computer and serves no practical purpose.

    Before trying to manage an security in AD you MUST take some training in AD administration.  AD is very easy to corrupt.  You can aslo very easily destroy the security of you D system.


    \_(ツ)_/

    Tuesday, April 10, 2018 12:06 PM
  • It is recommended that users not have any administrator privileges for the computers they use. This is for security reasons. Even Administrators should not logon to computers with an administrator account (a member of the local Administrators group) except when necessary for admin tasks.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, April 10, 2018 1:02 PM
  • Well thanks for the insult on taking AD classes. I wont mention I have been an AD admin for 20 years.

    The reason is I am pre-blessing machines onto the domain and I want to grant certain users the ability to domain join those machines (I know they don't need full rights to do this)

    Please don't go down the "ms-DS-MachineAccountQuota" route.

    Is there anyone else that has constructive advice on how to achieve this?

    Thanks.

    Tuesday, April 10, 2018 2:00 PM
  • Well thanks for the insult on taking AD classes. I wont mention I have been an AD admin for 20 years.

    The reason is I am pre-blessing machines onto the domain and I want to grant certain users the ability to domain join those machines (I know they don't need full rights to do this)

    Please don't go down the "ms-DS-MachineAccountQuota" route.

    Is there anyone else that has constructive advice on how to achieve this?

    Thanks.

    So you really don't know AD.   You can a group to an OU and grant that group join privileges.  There is no need to give anyone full control

    Using AD from ADUC does not really teach the technical side of AD.  When you need to script then that extra learning becomes necessary.

    To set up the group that allows users to join you would not use or need PwoerShell.  Just create the security group and use the GUI to set the AD permission.   After that just add users to the group when you want to give them join permissions.

    Post in the Directory Services forum for help with creating a group and adding it with the GUI.


    \_(ツ)_/

    Tuesday, April 10, 2018 2:17 PM
  • Here are the two main methods of delegating rights to join tom a group.

    https://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/


    \_(ツ)_/

    Tuesday, April 10, 2018 2:20 PM
  • Note also that as of AD 2008 all users have domain join rights for up to 10 computers.  What they will not have is rights outside of the default Com putters container.  If they need to add the computers to another OU then you will have to delegate the right to create computer objects in that OU or you will have to pre-create the computer account for them.

    There is a good article somewhere that discusses this in great detail with examples.  Once you have designed you process and set AD and the group(s) correctly then all else will work for the users to join computers according to the requirements you have decided on.

    Just giving user full control on an OU will not give them domain join privileges.  The only way to do this is to make a user a Domain Admin which you do not want to do.

    Again - post in the Directory Services forum for assistance with using AD for this or for many other things.  Once you understand the technical requirements and procedures beyond the GUI you will be better able to determine if scripting is needed.


    \_(ツ)_/


    • Edited by jrv Tuesday, April 10, 2018 2:28 PM
    Tuesday, April 10, 2018 2:27 PM
  • Here is another approach that delegates the right for a single computer from the Wizard.  I do not recommend using this method with the GUI or with a script since it is mostly unnecessary.

    http://mgitservice.blogspot.com/2014/08/the-following-user-or-group-can-join.html


    \_(ツ)_/

    Tuesday, April 10, 2018 2:32 PM
  • I have to use powershell for what I am doing and I asked you not to go down the 10 computers path using ms-DS-MachineAccountQuota

    Thanks anyways, got it to work exactly like I wanted and the way you said it couldn't be done.

    Tuesday, April 10, 2018 2:34 PM
  • And here is a script example that shows the minimal settings required to delegate a user for a single computer:

    https://stackoverflow.com/questions/29037519/set-following-user-or-group-can-join-to-domain-permissions-on-computer-object


    \_(ツ)_/

    Tuesday, April 10, 2018 2:41 PM
  • I have to use powershell for what I am doing and I asked you not to go down the 10 computers path using ms-DS-MachineAccountQuota

    Thanks anyways, got it to work exactly like I wanted and the way you said it couldn't be done.

    Giving a use full control is a very bad idea.


    \_(ツ)_/

    Tuesday, April 10, 2018 2:43 PM
  • I have to use powershell for what I am doing and I asked you not to go down the 10 computers path using ms-DS-MachineAccountQuota

    Thanks anyways, got it to work exactly like I wanted and the way you said it couldn't be done.

    Giving a use full control is a very bad idea.


    \_(ツ)_/

    As I stated I know I DONT have to. I was making the use case easier. I got it working without full control and just minimum rights.
    Tuesday, April 10, 2018 2:46 PM
  • Hi,

    I'm checking how the issue is going, was your issue resolved?

    And if the replies as above are helpful, we would appreciate you to mark them as answers. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, April 11, 2018 5:13 AM
  • Yes, I resolved it myself.
    Wednesday, April 18, 2018 9:45 AM