All versions of Centrify Suite with Unix and Mac systemsQuestion:
What are the necessary permissions needed for an AD account to join a machine to the domain?Answer:
The account that runs the adjoin command must have full permissions on the OU that the machine will be joined into. This account can be delegated to have full control over the OU and that account will be able to join computers to the domain successfully. AD groups can also be delegated as well.
This is useful when for allowing a user or a group of users to be able to join computers to the domain, but without giving them full Domain Admin rights.Note:
- If there is an identical computer object with the same name that is in another OU, then the user account will need permissions to that OU, as well. This way the account will be able to move that object from one OU to the another.
The best way to do this is with Microsoft's Delegation Control Wizard:
- Open up Active Directory Users and Computers
- Right-click on the target OU and select "Delegate Control...".
- Continue through the wizard and add the users and/or groups to give full control to.
- Choose to "Create a custom task to delegate".
- Choose to delegate control of "This folder, existing objects in this folder, and creation of new objects in this folder".
- Choose the "Full Control" box and all checkboxes should automatically be selected.
- After completing the wizard, try to join a machine to the domain using an account that now has full control of the OU that the machine will be placed in.