Active Directory Domain Join Domain Permission Delegation Question Answer

When joining a domain, it is intended to be delegated, but no "add computer to domain" is not found. Other tasks such as adding users and viewing information are not found in common tasks. The system is win2003 enterprise version sp1. When the account with the delegated authority and the account of the general users group join the domain, the user is prompted to refuse access. I don't know why. Answer: According to your description, my understanding of this problem is: when delegating control permissions in the domain, I did not see the "Join computer to domain" permission. If my understanding is wrong, please let me know. This may be that you delegate control on the OU, you can only see the "Join the computer to the domain" permission if you delegate control at the domain level, because the join domain is for a domain, not for an OU, so only in the domain This option is only visible at the level. It is recommended that you do another privilege delegation, add " join the computer to the domain" permission, use the delegated account to join the domain to see if there is any problem. This account has permission to join all domains in the domain. Can you restrict access to the domain in a certain ou? ---simple To delegate access to a domain for a specific OU, you must customize the delegation. task. The steps are as follows: 1. Open Active Directory User and Computer Management. 2. Expand the OU, right click on the OU you need to delegate, and select Delegate Control. 3. According to the wizard, select the group to delegate permissions and click Next. 4. Select Create custom task to delegate and click Next. 5. Click the following object in the Just folder and select the following options from the list box: Computer object Create selected object in this folder Delete selected objects in this folder 6. Click Next, in the Permissions list box , select the following options: Read Write Reset Password Verify Write DNS Host Name Read and Write Account Limit Validation Write to Service Principal Name 7. Click Next and click Finish. When a computer joins a domain, the computer account is stored in the Computers container by default. Therefore, when joining the domain, you must first create a computer object in the OU and then join the domain. Otherwise, you cannot join the domain. Or use Netdom to specify the OU that creates the computer object when joining the domain. The problem of denying access is that ordinary domain users cannot write to the computers container or can not write to the corresponding OU, and they are given the corresponding domain account to write. Permissions can be.