Delegate Add/Delete Computer Objects in AD

AD Delegation allows you to give users/groups access to certain parts of your AD without giving them full admin access. A great example is allowing Help Desk users to reset user passwords; this is actually quite easy and is a default option when delegating permissions to an OU. However, you may want your Help Desk users to be able to join/remove computer accounts to your domain which is a bit more difficult. By default, a standard user account can join up to 10 workstations to your domain and more than likely you’ll want them to join more. Here are the necessary steps as well as my recommendations:

1 – Create New OU for your Computers

Computer OU

In this example, I made the top OU called Computer and made several sub OU’s.  I suggest using an OU because you can apply a GPO at the topmost level to apply specific security to all of your computers.

2 – Redirect the Default Computers Container to the New Computer OU in AD

By default, computers joined to an AD domain are put in the Computers Container, which cannot have a GPO applied because it’s a container and not an OU.  You can redirect that container to our new Computer OU using Redircmp.exe (http://support.microsoft.com/kb/324949).  On your AD Domain Controller, run the following command (Replace DC=contoso,DC=local with your domain name):

C:\windows\system32>redircmp OU=computer,DC=contoso,DC=local

 

 3 – Create a Global Security Group to Join/Delete Computers

Create a new Global Security Group, which we will use to delegate who can Join/Delete computers from AD.  In my example, I’ll use a group called Join-Move-Delete Computer OU

4 – Delegate the Join and Delete Permissions

  • Right-Click the Computer OU and select Properties
  • Click the Security tab and click the Advanced button

ComputerOU Properties

  • Click the Add button, enter the name of the security group Join-Move-Delete Computer OU and click OK. You can now add any users you desire to this group.

ComputerOU Advanced Security

  • Under Apply to, select This object and all descendant objects
  • Under the Allow column, select Create Computer Objects and Delete Computer Objects
  • Click OK on all of the screens to save the changes

ComputerOU Create-Delete Permissions

All members of the Join-Move-Delete Computer OU group can now Add and Delete Computers in your domain.

5 – Delegate Moving Objects to Sub-OU’s in the Computer OU (Optional)

Optionally but likely, you may want your users to be able to move the computers they join to the proper OU.  In that case, we need to add 1 more permission.

  • Right-Click the Computer OU and select Properties
  • Click the Security tab and click the Advanced button
  • Click the Add button, enter the name of the security group Join-Move-Delete Computer OU and click OK.
  • Under Apply to, select Descendant Computer objects
  • Under the Allow column, select Write all properties
  • Click OK on all of the screens to save the changes

All members of the Join-Move-Delete Computer OU group can now move computers between all of the Sub-OU’s in the Computer OU.

 

 

 

 

11 comments

2 pings

Skip to comment form

  1. I am continuously invstigating online for articles that can assist me. Thank you!

  2. I am extremely impressed with your writing skills
    and also with the layout on your blog.
    Is this a paid theme or did you customize it yourself?

    Anyway keep up the excellent quality writing, it is rare to see a nice
    blog like this one these days.

      • admin on August 14, 2013 at 12:27 pm
        Author

      This is free theme called Admired by Brad Thomas

    • Alana on December 24, 2013 at 7:19 pm

    Hey just wanted to give you a brief heads up and let you know
    a few of the images aren’t loading correctly. I’m not sure why but
    I think its a linking issue. I’ve tried it in two different browsers and both show the same results.

      • admin on December 31, 2013 at 6:50 pm
        Author

      Interesting… I just verified the images are showing fine in Firefox 26 and Internet Explorer 11. There may have been maintenance going on with my provider since it was Xmas eve, which may have broke some links. If you’re still having issues, try clearing your browser cache or let me know what browser you’re using

    • R on January 29, 2015 at 1:58 am

    Awesome thanks

    • bob on March 28, 2016 at 6:00 pm

    an OU is not a container. it is an OU. Organizational Unit. A CN is a Container.

    1. Yes – I’ve stated that in the first sentence of the 2nd step

    • jess on January 17, 2017 at 4:46 am

    awesome

    • Shalendra Singh on March 6, 2019 at 5:57 am

    i am still unable to rejoin system in domain.

    • Mike on May 18, 2022 at 4:12 am

    Thanks

  1. […] the pencil icon next to Plugin.AdMachineCleanup.UserName and enter the username for an account you have delegated rights to delete computer objects, or be bad and user your domain admin user (that is bad, so don’t, but if you do I told you […]

Comments have been disabled.