Granting domain-join privilege for a user / some users

Started by Dieselboy, August 13, 2019, 03:28:18 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dieselboy

August 13, 2019, 03:28:18 AM
I'm on a roll this week. Looking forward to posting about converting Windows 10 laptops to CentOS, automated, simple, domain joined and disk encrypted.

We have a remote site where machines need to be joined to the domain. I can't give out `domain admin` credentials or create a 2nd domain admin user for individuals. So I did make use of the standard `domain user` being able to join 10 machines to the domain, then the limit was reached.

Looking around the web there are a lot of articles making this a complex tasks of privilege trees which I was not keen on for the occasional domain join.

I found one article which described creating a normal user with the correct privilege, and then sharing this account around to the users who'll be using it to domain-join systems. I didn't really like that either due to the sharing of an account and passing around username and password  :o :(

So thinking through the article, I decided to create a security group (instead of the user) and give the group the privilege. Then add a end-user to the group when they need to domain join and remove them (if I want) afterwards. Works a treat.

Summary steps
1. Create a security group
2. On the default AD OU `Computers`(where new domain joins go into) edit the security properties of the OU like:
2.a. Give the security group privilege on `This object and all descendant objects` the additional privilege of `Create Computer Objects` as well as `Delete Computer Objects`.
also:
2.b. Give the security group privilege for the same OU on `Descendant Computer objects`the following:
    Read All Properties
    Write All Properties
    Read Permissions
    Modify Permissions
    Change Password
    Reset Password
    Validate Write to DNS hostname
    Validate Write to Service Principal Name
3. Save the permissions and close the windows
4. Add one user to the security group
5. attempt domain join of a NEW system to the domain using the user in the group

At this point, the user has privileges to create a new computer object in the default OU called `Computers`. If like me you move computers into another OU for GPO processing, then give the same permissions on the destination OU tree (for example I have `Desktops > Windows`so I have given the permission on the `Desktops`OU). This way, the user can re-join systems into the domain after re-imaging, because the computer object will already exist there.

And that's it. Anyone whos a member of the group will be able to domain join.

Original article where I took this information from is located here. Basically where they state `Create a standard domain account`, create a security group instead and follow on.

deanwebb

#1
August 13, 2019, 09:05:42 AM
^ This is also needed if you need an account to do BIND operations with AD when it validates user accounts.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1
User actions