Delegating right to join Windows clients in Samba 4 domains



This article describes how to delegate the administrative task of joining Windows clients into an Samba 4 / Active Directory domain.

The Active Directory access control model allows delegation of specific administrative tasks affecting a defined scope of the content of the Active Directory to selected users or groups. The following steps can be used to grant the right to join Windows clients to certain users or groups:

  • Log on to a Windows client which offers the tool Active Directory Users and Computers.
  • Open Active Directory Users and Computers and right-click the directory partition or organizational unit (OU) for which you want to delegate control.
    -Click “Delegate Control” to start the Delegation of Control Wizard and click Next.
  • In the “Users or Groups” dialogue click Add.
  • Choose specific users or groups and then click Next.
  • In the “Tasks to Delegate” dialogue select “Create a custom task to delegate” and then click Next.
  • In the “Active Directory Object Type” dialogue, click “Only the following objects in the folder:”.
  • Then the Permissions dialogue should start with “General” pre-selected.
  • In the Permissions list select the following check boxes: “Reset Password”, “Read and write Account Restrictions”, “Validated write to DNS host name”, "Validated write to service principal name".
  • Finish the dialogoue by clicking Ok.

This way, the selected users or groups should be able to perform the task without the necessity to endorse full Domain Admin rights on them. This article is based on .