戻る
-
タイトル
What user permissions are required for a delegated join to a domain? -
説明
An Active Directory (AD) user other than the Administrator account is required to be able to perform a delegated join to a domain. What permissions are required for a user to be able to do so?
-
対策
Permissions need to join to domain when the Computer account alreadys exists in AD:
Required
Object permissions:
ResetPasswordRecommendedObject Properties:
Write DNS Host Name Attributes
Write userAccountControl
Write servicePrincipalName
Optional
Object Properties:
Write Operating System
Write Operating System Version
Write userPrincipalName
If the computer does not exist then the only right required is "Create Computer Object" If you are joining in User Personality Mode (UPM) mode you will also need the right of "Write preferredOU".To set permissions on a joining account:1 - Run run Active Directory Users and Computers console (dsa.msc) as Domain Administrator.
2 - Click on the OU where the computer account will be added, right click and select Delegate Control.
3 - Add the user on the list and select next
4 - Select a custom task to delegate, select next
5 - Select Computer Objects from the list of objects and next.
6 - Select the above noted permissions and properties. -
追加情報
Note, by default preferredOU is filtered by the Microsoft admin tools. To disable this please see http://support.microsoft.com/kb/296490