Minimal Active Directory Permission for Domain Join (+ Bonus Material)

In the following post, we allow a NetApp administrator (called “netappadmin”) to join a system to Active Directory with the minimal permissions to do so. The scenario is for a NetApp administrator, but the theory can be applied to any situation where you want to give an administrator/user the minimum permissions to join a system to AD.

Step By Step Guide

Note: Steps 1 to 11 are all done in Active Directory Users and Computers (ADUC)

Step 1) Being tidy AD administrators, first we create a new Global Security group called “naadmins”.

Image 1: Global Security group “naadmins”
Step 2) Then we add this group to our “netappadmin” user account.

Image 2: netappadmin in naadmins group
Step 3) Next, create an OU for our NetApp systems - here we call it “NA-CDOT”
Step 4) And in our OU “NA-CDOT”, create a new AD Machine account with the name of the CIFS server that’s going to be joined - here we call in “NASVM01”.

Image 3: NASVM01 AD Computer account in the OU “NA-CDOT”
Step 5) Right-click on the OU “NA-CDOT” and select ‘Delegate Control...

Image 4: Delegate Control of the OU “NA-CDOT”
Step 6) Delegation of Control Wizard: Welcome ...
Click Next >

Step 7) Delegation of Control Wizard: Users or Groups
Add the “naadmins” group
Click Next >

Image 5: DoCW - adding the naadmins group
Step 8) Delegation of Control Wizard: Tasks to Delegate
Select the ‘Create a custom task to delegate
Click Next >

Image 6: DoCW - Tasks to Delegate
Step 9) Delegation of Control Wizard: Active Directory Object Type
Select the ‘Only the following objects in the folder
Tick the ‘Computer objects’ check box
Click Next >

Image 7:DoCW - Active Directory Object Type
Step 10) Delegation of Control Wizard: Permissions
Tick the ‘Creation/deletion of specific child objects’ check box
And from the ‘Permissions‘ list:
Tick ‘Reset password
Tick ‘Read and write account restrictions
Tick ‘Validated write to DNS host name
Tick ‘Validated write to service principal name
Click Next >

Image 8: DoCW - Permissions (‘Reset password’ is not on screen)
Step 11) Delegation of Control Wizard: Completing...
Click Finish

Step 12) Test it works!

NACLU01::> cifs server create -cifs-server NASVM01 -domain lab.priv -vserver NASVM01.lab.priv       
In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges...

Enter the user name: netappadmin

Enter the password:

Warning: An account by this name already exists in Active Directory at
         Ok to reuse this account? {y|n}: y

NACLU01::> cifs server show
            Server          Status    Domain/Workgroup Authentication
Vserver     Name            Admin     Name             Style
----------- --------------- --------- ---------------- --------------
NASVM01.lab.priv NASVM01    up        LAB              domain

BONUS 1: Allowing NetApp administrators to update their system’s Service Principal Names (SPNs)

In ‘Delegation of Control Wizard: Permissions’ (Step 10 above) there is an additional permission that could be really useful for your NetApp administrator to have (if you’ve been reading some of my recent posts on Kerberos, SPNs, and site failover.) In the ‘Property-specific’ section, there is the permission ‘Write servicePrincipalName’ which will allow your NetApp administrator to delete and append SPNs to their NetApp CIFS Server’s machine account.

Image 9: DoCW - Add the permission ‘Write servicePrincipalName’
BONUS 2: Active Directory Permissions to allow AD Computer Account Domain Join

The following security options cannot be specified on an OU, but, if you’re Active Directory administrator does not want to delegate permission of an OU, they could just assign the following permissions on the AD computer account for the NetApp Administrator:

Reset password = Allow
Validated write to DNS host name = Allow
Validated write to service principal name = Allow
Read account restrictions = Allow
Write account restrictions = Allow

Note: For allowing a NetApp Administrator to update SPNs (as in BONUS 1), there are no options under the AD Computer Accounts security settings to allow this, it needs to be done using Delegation of Control.