Join Computer To Domain With Minimum Permissions

Which authorizations are necessary to join a computer to a AD domain?

The aim of a granular delegation concept is to assign only those rights that are necessary for the operation of the assigned role.

Index

• Principle of least privilege to join the Active Directory Domain
• Necessary delegations for the target OU

Principle of least privilege to join the Active Directory Domain

We could give Domain-Admin-permissions to any admin. Any admin could work and thats is. Though, the question is: Do we want to give Domain-Admin-rights to any helpdesk employee? I don’t think so. This leads to the question: Which authorizations are really essential for the joining of a computer.

Computer objects must be “prestaged”

A requirement for this delegation: computer objects must be “prestaged”. That means that empty computer objects have to be created in the proper OU by a central authority in advance. I can only recommend this. Without “prestaged” computer objects all objects are placed in the computer container of the domain (except you changed the standard container, as described in Tim’s article). Otherwise they have to be moved to the proper target OU.

To move computer objects to the target OU you need:

• Delete-authorization for the computer container
• Create-authorization for the target OU

These high-ranking authorizations should be avoided.

Necessary delegations for the target OU

The following delegations are needed for the target-OU containing the “prestaged” computer-objects:

Apply to:  Descendant Computer objects Allow:       Reset password Allow:       Validated write to DNS host name Allow:       Validated write to service principal name Allow:       Read account restrictions Allow:       Write account restrictions

You can obtain further information from the following Microsoft KB article: http://support.microsoft.com/kb/932455/en-us

Did this help you? Share it or leave a comment:

• Tweet
• Facebook
• Mail

Artikel erstellt am: 06.02.2014