Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > How to delegate LDAP permissions to join computers to domain
May 15
How to delegate LDAP permissions to join computers to domain

Today I just want to share a simple PowerShell script which delegates user permissions inside an Active Directory LDAP domain to join computers to AD domain correctly, instead of relying on the default limit of 10 different computer accounts (enforced with the "Add workstation to domain" user right, the ms-DS-MachineAccountQuota and the ms-DS-CreatorSID attributes).

Such a delegation is often necessary in case of System Center Configuration Manager OSD scenarios (operating system deployment). You should always assign the least required privileges for the joiner account, but you must allow the account to join any number of computers to domain. This includes joining to existing computer accounts as well as creating new computer accounts for bare metal installs.

When you join a new computer, it is basically a create computer object operation. While if you only join to an existing computer account, crutialy you need Reset Password extended control right and change pwdLastSet attribute.

The script follows:

$user = 'gps\SCCM Client Computer Joiners'
$ou = 'OU=SCCM Test Clients,OU=SCCM,OU=Service,OU=Company,DC=gopas,DC=virtual'

DSACLS $ou /R $user

DSACLS $ou /I:S /G "$($user):GR;;computer"
DSACLS $ou /I:S /G "$($user):CA;Reset Password;computer"
DSACLS $ou /I:S /G "$($user):WP;pwdLastSet;computer"
DSACLS $ou /I:S /G "$($user):WP;Logon Information;computer"
DSACLS $ou /I:S /G "$($user):WP;description;computer"
DSACLS $ou /I:S /G "$($user):WP;displayName;computer"
DSACLS $ou /I:S /G "$($user):WP;sAMAccountName;computer"
DSACLS $ou /I:S /G "$($user):WP;DNS Host Name Attributes;computer"
DSACLS $ou /I:S /G "$($user):WP;Account Restrictions;computer"
DSACLS $ou /I:S /G "$($user):WP;servicePrincipalName;computer"
DSACLS $ou /I:S /G "$($user):CC;computer;organizationalUnit"

As always, I would put the script into a .PS1 file and start it from another .BAT file with the same name, which contains just the folowing generic code:

powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.ps1" > "%temp%\%~n0.log"

This way you get no problems with PowerShell execution policy on the target machine and also redirect output to a log file with the same name as both the PS1 and BAT files.

Note although, that you cannot ever overrule the PowerShell execution policy set by using a GPO - the Administrative Templates/Windows Components/Windows PowerShell/Turn on Script Execution setting.

Comments

There are no comments for this post.

Add Comment

Title


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *


Body *


Type number two as digit *


This simple antispam field seems to work well. Just put here the number.

Attachments