Q&A: Can I Create a Specific Join-User?

Knowledge Base Community
, , ,
#1

Question

Can I create a specific “join user” to be able to join client into the domain?

Additional Question

Can this be done without the “join user” being a domain administrator?

Answer

According to our documentation any user being a member in the two groups “Domain Administrators” and “DC Backup Hosts” is able to join a computer to the domain.

You might add the missing group via UMC (webfrontend) or in terminal via udm like

root@ucs:~# udm users/user modify --dn "<USER-DN>" \
  --append "groups=cn=DC Backup Hosts,cn=groups,$(ucr get ldap/base)"

Answer

It is not possible to create a user being able to join without having administrator privileges.
A “join user” has to be member of the domain administrator group thus always having administrative rights ins the domain.

Minimal rights for a user to join computers to domain
Mastodon