Delegate permissions for domain join

Home Blog Delegate permissions for domain join

4sysops - The online community for SysAdmins and DevOps

      0
Enabling standard users to connect their PCs to an Active Directory (AD) domain can introduce security risks. Similarly, using a domain admin account for this task is not advisable. An alternative approach is to create a separate account with limited permissions, specifically for domain join operations.
Contents
  1. Remove authenticated users from group policy
  2. Set the value of an AD attribute to 0
  3. Set up service users
  4. Delegate domain join for OUs
  5. Summary
Latest posts by Wolfgang Sommergut (see all)

By default, Active Directory allows authenticated users to add up to 10 computers to the domain. This setting is controlled by the ms-DS-MachineAccountQuota attribute, which can be exploited in various attack scenarios.

To enhance security, it is recommended to revoke the authorization for domain join by normal users, as per Microsoft's best practices. Granting this permission only to dedicated accounts with restricted rights reduces the potential risks associated with domain join operations.

Conversely, using privileged accounts for domain join purposes, especially when automating the deployment of Windows, is not recommended. It is important to follow secure practices and allocate appropriate permissions for specific tasks within the AD environment.

Remove authenticated users from group policy

By default, the Default Domain Controllers Policy contains a setting that grants all users the right to join a computer to the domain. This can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment and is called Add workstations to domain.

Setting in the Default Domain Controllers Policy group policy that allows all users to join the domain

Setting in the Default Domain Controllers Policy group policy that allows all users to join the domain

It is enabled by default and includes Authenticated Users. Remove them to deprive them of this right.

Set the value of an AD attribute to 0

In addition to the setting in the group policies, the ms-DS-MachineAccountQuota attribute determines how many PCs a user may add to the domain. As mentioned, the default value is 10, but this should be set to 0 for security reasons.

One way to do so is through AD Users and Computers. There, open the properties of the domain and then switch to the Attribute Editor tab. This allows you to change the attribute value.

Set the value of ms DS MachineAccountQuota in ADUC to 0

Set the value of ms DS MachineAccountQuota in ADUC to 0

Alternatively, you can resort to PowerShell for this task. First, display the current value:

Get-ADDomain | Get-ADObject -Properties ms-DS-MachineAccountQuota

Then, assign the value 0 to the attribute:

Set-ADdomain -Identity contoso.com -Replace @{"ms-DS-MachineAccountQuota"="0"}
Query and change the value of ms DS MachineAccountQuota with PowerShell

Query and change the value of ms DS MachineAccountQuota with PowerShell

Set up service users

After implementing the described measures, only administrative accounts can add computers to the domain. Therefore, you now need users whose permissions are specifically tailored to this task. As a rule, you set up a group for this purpose and provide it with the necessary rights.

Normal users can no longer add their PC to the domain

Normal users can no longer add their PC to the domain

Of course, this raises the question of whether these accounts are also excluded from domain join due to the assignment of 0 to ms-DS-MachineAccountQuota. However, if you explicitly delegate the appropriate permissions to them, then the value in this attribute has no effect.

The simplest method for delegation is to open the domain context menu in AD Users and Computers and run the Assign Object Management command.

This launches a wizard where you first enter the users or groups you want to authorize and then select the Join a computer to the domain task.

Assign permission to add a computer to the domain using the wizard

Assign permission to add a computer to the domain using the wizard

If you then check the domain properties under Security, you will see that the users have been granted the Create Computer Objects permission. However, this solution is often not ideal because it applies to an entire domain at once and assigns more rights than are required in certain scenarios.

Delegate domain join for OUs

In larger companies, it is common to use separate accounts for different organizational units (OUs). However, when it comes to assigning permissions for domain join operations, it requires manual configuration, since the wizard provides this option only at the domain level and not for individual OUs.

Before granting permissions, it is important to evaluate whether service users actually need the ability to create computer accounts in Active Directory. Alternatively, other users could stage the accounts in advance, reducing the need for elevated privileges solely for domain join purposes.

To delegate this task for an OU, follow these steps:

  1. Access the properties of the OU and select the Security tab.
  2. Click the Advanced button to open the corresponding dialog box.
  3. Click Add to specify the principal.
  4. In the Applies to section, select Descendant Computer objects.
  5. In the list of permissions, select Reset password, Write servicePrincipalName, Write userAccountControl, and Write DNS Host Name Attributes, in addition to the already enabled options.
Select the principal and assign its permissions to the descendant computer objects of an OU

Select the principal and assign its permissions to the descendant computer objects of an OU

If necessary, you can also select Write Operating System, Write Operating System Version, and Write userPrincipalName to allow the users to update these attributes.

The first four permissions are sufficient for the domain join if the computer account already exists

The first four permissions are sufficient for the domain join if the computer account already exists

The above permissions are sufficient if a computer account already exists in AD. If the service user should create this account during the domain join, then it also needs the right Create Computer objects for This object and all descendant objects.

Summary

By default, all authenticated users may add up to 10 computers to an Active Directory domain and create their machine accounts. However, for security reasons, it is recommended that this behavior be prevented.

To achieve this, the Default Domain Controllers Policy group policy needs to be modified, and the value of the ms-DS-MachineAccountQuota attribute should be set to zero.

Instead, it is best to utilize dedicated service accounts that are specifically set up for the purpose of handling domain join operations. The wizard available in Active Directory Users and Computers simplifies this task across the entire domain.

Subscribe to 4sysops newsletter!

If there is a need to delegate this permission at the organizational unit (OU) level they must to be assigned manually. In case organizations prestage computer accounts before the PCs join the domain, reduced rights will suffice while still achieving the desired outcome.

avatar
Related Articles
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account