Account to read AD, join machine to domain, delete computer accounts and move computers to OUs
I actually had to set this up for myself recently. We have some custom code that does computer prestaging for new computers when they PXE boot and runs as a service account.
- Check for computer accounts in AD
Any user in the Domain Users group should be able to do this out of the box without any additional permissions unless you've changed default permissions in places or added Deny ACLs on things.
- Join computers to a domain (not restricted to 10, like a normal user)
- Delete computers from AD
- Move computers between OUs
For these, you first have to decide where you want this access to be given. It's easy to just grant permissions at the root of the domain, but not terribly wise. Usually, you have an OU or set of OUs where computer accounts live. So you should apply the following permissions to those containers specifically. Permissions to join a computer to the domain just requires the ability to create a computer account and set it's properties. Moving a computer between OUs requires the ability to delete the account from one place and create it in another. All that said, here's what permissions you need to grant on each OU:
- This object and all descendants
- Create Computer objects
- Delete Computer objects
- Descendant Computer objects
- Read all properties
- Write all properties
- Change password
- Reset password
- Validated write to DNS host name
- Validated write to service principal
I also have an additional bit of advice. Don't grant these permissions to the service account directly. Create a group like Computer Admins and make the service account a member of that group. Then, grant the permissions to the group. That way if you have additional people or service accounts that need the same permissions, you only need to modify the group's membership.
Create a group like "computer admins" then open Active Directory Users & Computers MMC snap-in right click on OU where you want them to give rights, if you want give them rights over whole domain then right click on domain name, select delegate control option.
in the resulting wizard select the group you created earlier "computer admins" click next then click Create a Custom Task to delegate then click next.
then select "only the following objects in the folder" then tick "computer objects" from list and also tick the two boxes at the bottom. "create selected object in folder" and "delete selected object in folder" click next.
On the next screen select "Full control" from the list then click next
next screen will show you summary of delegation then click finish.
once done, add one of the users into "computer admins" group and try to carry out various task you want.
Yes, you should be using delegation of control. While I could go through and explain step by step how to do this, there's an easier solution. Download and install ADManagerPlus from ManageEngine and use their AD Delegation tool to set things up for yourself. They have predefined Help Desk roles that you can use to grant the appropriate access to the users in question. Look into the Modifiy Computers role as I believe that's what you're looking for.
You can create a specific "Taskpad" mmc for them to use, like here: http://www.petri.co.il/create_taskpads_for_ad_operations.htm
Basically its a customized version of MMC, that is locked to using certain controls, like, creating users, creating computers etc. Depending on the delegation settings/permissions, determines what they can do from there.