Topics Map > Active Directory

Campus Active Directory - Domain Join Permissions for Computer Objects

Domain joining devices to Active Directory only requires a few permissions to be delegated. OU accounts already have these permissions. However, as a best practice you should delegate a service account for the sole purpose of domain joining devices to Active Directory. If you have custom scripts or tasks that are utilizing OU account credentials for domain joining devices, you should be using a service account with delegated permissions instead. This KB article will outline the required permissions that you can delegate, including an additional permission required to domain join devices via LDAP (required after enforcing Microsoft Update KB5008383). Domain joins via LDAP is most common with WorkspaceONE and Directory Utility/dsconfigad within macOS devices.

There are only 4 permissions required to domain join computer objects to Active Directory. Below are the steps you can take to create a service account with the required permissions.

  1. Create a service account in your OU, following the naming conventions detailed here: https://kb.wisc.edu/iam/30600#kb-toc-anchor23
  2. Right click on the OU you want to join computers to and navigate to Properties>Security>Advanced (In this example I am delegating permission to the CAD Demo OU):
  3. After clicking Advanced, a new window will open. Click on Add and another window will open. At the top of this window will be an option to select your service account that was previously created. After selecting your service account, change the "Applies to" drop-down to "Descendant Computer objects.
  4. Next, scroll down to the bottom of the window and select the "Clear all" option.
  5. After clearing all permissions, find and select the following four permissions:

After selecting the above options, click OK followed by Apply in the Advanced Security Settings window.

Your permissions should look like this. Some settings will appear blank but this is normal.

Your account should now be able to join computers to Campus AD in the OU you have set permissions for.


Keywords:
"campus active directory",cads,delegation,modification,"service account permission","WS1","WorkspaceONE","Omnissa","domain joining","LDAP","3047","error","log","mac","macbook","domain joins" 
Doc ID:
133807
Owned by:
MST Support in Identity and Access Management
Created:
2024-01-03
Updated:
2024-09-13
Sites:
Identity and Access Management