How to Delegate Rights to Allow a User Account to Join Computers to the Domain

Introduction

Delegating rights to a user account for joining computers to the domain can streamline the process and reduce the need for administrative intervention. This is particularly useful in automated deployment scenarios using tools such as MDT, LANDesk, KACE, or SCCM.

Steps to Delegate Rights

Follow these steps to delegate the necessary rights to a user account:

1. Open the Active Directory Users and Computers tool.
2. Right-click the Organizational Unit (OU) where the computers will be added and select Delegate Control from the context menu.
   

1. Click Next to start the Delegation of Control Wizard.

1. Click Add and select the user account (e.g., xxxxx) that you want to delegate permissions to, then click Next.

1. Select Create a custom task to delegate and click Next.

1. Select Only the following objects in the folder and check Computer objects, then click Next.
2. Check the following permissions:
   • Create selected objects in this folder
   • Delete selected objects in this folder
   • Reset Password
   • Read and write Account Restrictions
   • Validated write to DNS host name
   • Validated write to service principal name

1. Click Next to review the selections.
2. Click Finish to apply the delegation settings.