Applies to:
All versions of Centrify DirectControl
Question:
Why is the domain admin authority required to join machines with -T or --trust flag ?
Answer:
-T flag of adjoin means "trust computer for delegation". An Active Directory user with delegated permissions to create and delete computer objects will not be
able to join machines with -T option. “Enable User and Computer account to be trusted for Delegation” AD permission needs to be granted to an AD user in order to use
-T option to specify a computer account to be trusted for delegation.
For reference please use the Knowledge Base article from Microsoft:
http://technet.microsoft.com/en-us/library/cc772612.aspxBy default, domain admin has this permission. For non-admin user, enable the following group policy to grant this permission:
"Computer Configuration" > "Windows Settings" > "Security Settings" > "Local Policies" > "User Rights Assignment" > "Enable computer and user accounts to be trusted for delegation".