I want to create an account that will perform the following:
- Join computers to a domain (not restricted to 10, like a normal user)
- Check for computer accounts in AD
- Delete computers from AD
- Move computers between OUs
I don't want to allow it to do anything else, so don't want a domain admin account.
Can anyone guide me in the right direction in terms of permissions? Not sure if I should be using delegation of control wizard?
Cheers,
Ben
Best Answer
I actually had to set this up for myself recently. We have some custom code that does computer prestaging for new computers when they PXE boot and runs as a service account.
Any user in the Domain Users group should be able to do this out of the box without any additional permissions unless you've changed default permissions in places or added Deny ACLs on things.
For these, you first have to decide where you want this access to be given. It's easy to just grant permissions at the root of the domain, but not terribly wise. Usually, you have an OU or set of OUs where computer accounts live. So you should apply the following permissions to those containers specifically. Permissions to join a computer to the domain just requires the ability to create a computer account and set it's properties. Moving a computer between OUs requires the ability to delete the account from one place and create it in another. All that said, here's what permissions you need to grant on each OU:
I also have an additional bit of advice. Don't grant these permissions to the service account directly. Create a group like Computer Admins and make the service account a member of that group. Then, grant the permissions to the group. That way if you have additional people or service accounts that need the same permissions, you only need to modify the group's membership.