Search The Web

Thursday, May 23, 2013

Delegate Authority in AD to add and remove computers

Delegate Authority in AD to add and remove computers

Delegation of Authority in AD is a good idea to manage the level of access given to technicians. Normally, authenticated users within the AD environment (i.e users) can add up to 10 machines to a domain. after this, the privilege is revoked.

When configuring these settings, it is advisable to set only on the OU's that you wish to delegate the authority on. Many times, its too easy to just want to save time and effort and set this at the top level of the domain, however this will come back to bite you big time if your help desk lackey deletes your domain controllers......

In order to configure the delegate authority to add and remove AD computers do the following:

  1. Open up AD users and computers and navigate to the OU that contains the workstations / servers that you wish to delegate. 
  2. Right click on the OU and select Delegate Control
  3. click Next past the welcome screen
  4. select the group  you wish to delegate access too, e.g. a group named helpdesk or level1_techs etc.
  5. choose create a custom task to delegate and choose Next
  6. select only the following objects in the folder and then select Computer Objects as well as the tick boxes Create selected objects in this folder and Delete Selected objects in this folder. Choose Next
  7. In the Permissions window, select:
    1. Create all Child Objects
    2. Delete all Child Objects
    3. Read All Properties
    4. Write All Properties
    5. Change Password
    6. Reset Password
    7. Validated Write to DNS Host Name
    8. Validated Write to Service Principal
  8.  Note that several other sub settings will be enabled after choosing the above settings. Leave these as they are and choose Next
  9. Choose Finish to finalize the settings.
And that's it! As always, you should now thoroughly test these settings prior to distributing to them the required users to ensure that they have the required level of permissions (ie not too many and not too few). an easy way to test this would be to get the user to add or re add a workstation to the domain.

of course there are several other things you can do with delegation of authority including assigning permissions for user creation many other settings.

The above article discusses how to delegate authority in a Windows Active Directory domain for adding and removing workstations or computers.

This article can also be located on our sister site at

No comments:

Post a Comment