Which authorizations are necessary to join a computer to a AD domain?
The aim of a granular delegation concept is to assign only those rights that are necessary for the operation of the assigned role.
Principle of least privilege to join the Active Directory Domain
We could give Domain-Admin-permissions to any admin. Any admin could work and thats is.
Though, the question is: Do we want to give Domain-Admin-rights to any helpdesk employee?
I don’t think so. This leads to the question: Which authorizations are really essential for the joining of a computer.
Computer objects must be “prestaged”
A requirement for this delegation: computer objects must be “prestaged”.
That means that empty computer objects have to be created in the proper OU by a central authority in advance. I can only recommend this.
Without “prestaged” computer objects all objects are placed in the computer container of the domain (except you changed the standard container, as described in Tim’s article).
Otherwise they have to be moved to the proper target OU.
To move computer objects to the target OU you need:
- Delete-authorization for the computer container
- Create-authorization for the target OU
These high-ranking authorizations should be avoided.
Necessary delegations for the target OU
The following delegations are needed for the target-OU containing the “prestaged” computer-objects:
Apply to: Descendant Computer objects
Allow: Reset password
Allow: Validated write to DNS host name
Allow: Validated write to service principal name
Allow: Read account restrictions
Allow: Write account restrictions
You can obtain further information from the following Microsoft KB article: