This article describes how to delegate the administrative task of joining Windows clients into an Samba 4 / Active Directory domain.
For example a user “domjoin” in the top OU “Users” who is only member of the “Domain User” group in UCS LDAP can be created beforehand for this.
The Active Directory access control model allows delegation of specific administrative tasks affecting a defined scope of the content of the Active Directory to selected users or groups. The following steps can be used to grant the right to join Windows clients to certain users or groups:
- Log on to a Windows client which offers the tool Active Directory Users and Computers.
- Open Active Directory Users and Computers and right-click the directory partition or organizational unit (OU) for which you want to delegate control.
- Click “Delegate Control” to start the Delegation of Control Wizard and click Next.
- In the “Users or Groups” dialogue click Add.
- Choose specific users (i.e. “domjoin”) or groups and then click Next.
- In the “Tasks to Delegate” dialogue
- select “Create a custom task to delegate” and then click Next.
- In the “Active Directory Object Type” dialogue
- click “Only the following objects in the folder”.
- From the list select
- “Computer objects”,
- and choose below the list
- “Create selected objects in this folder”,
- “Delete selected objects in this Folder”.
- And then click Next.
- Then the “Permissions” dialogue
- should start with “General” pre-selected.
- In the “Permissions” list select the following check boxes:
- “Reset Password”,
- “Read and write Account Restrictions”,
- “Validated write to DNS host name”,
- “Validated write to service principal name”.
- Finish the dialogoue by clicking Ok.
This way, the selected users or groups should be able to perform the task without the necessity to endorse full “Domain Admin” rights on them. This article is based on http://support.microsoft.com/kb/932455/en-us .