Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4664: User or Group permissions needed in order to bind using the AD Join tool on a machine

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:22 AM

Applies to: All versions of Centrify Suite with Unix and Mac systems


What are the necessary permissions needed for an AD account to join a machine to the domain?


The account that runs the adjoin command must have full permissions on the OU that the machine will be joined into. This account can be delegated to have full control over the OU and that account will be able to join computers to the domain successfully. AD groups can also be delegated as well.

This is useful when for allowing a user or a group of users to be able to join computers to the domain, but without giving them full Domain Admin rights.

  • If there is an identical computer object with the same name that is in another OU, then the user account will need permissions to that OU, as well. This way the account will be able to move that object from one OU to the another.

The best way to do this is with Microsoft's Delegation Control Wizard:
  1. Open up Active Directory Users and Computers
  2. Right-click on the target OU and select "Delegate Control...".
    • User-added image
  3. Continue through the wizard and add the users and/or groups to give full control to.
    • User-added image
  4. Choose to "Create a custom task to delegate".
    • User-added image
  5. Choose to delegate control of "This folder, existing objects in this folder, and creation of new objects in this folder". 
    • User-added image
  6. Choose the "Full Control" box and all checkboxes should automatically be selected.
    • User-added image
  7. After completing the wizard, try to join a machine to the domain using an account that now has full control of the OU that the machine will be placed in.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.