In the following
post, we allow a NetApp administrator (called “netappadmin”) to join a system
to Active Directory with the minimal permissions to do so. The scenario is for
a NetApp administrator, but the theory can be applied to any situation where
you want to give an administrator/user the minimum permissions to join a system
to AD.
Step By Step
Guide
Note: Steps 1 to 11
are all done in Active Directory Users and Computers (ADUC)
Step 1) Being
tidy AD administrators, first we create a new Global Security group called “naadmins”.
Image 1: Global
Security group “naadmins”
Step 2) Then we
add this group to our “netappadmin” user account.
Image 2:
netappadmin in naadmins group
Step 3) Next,
create an OU for our NetApp systems - here we call it “NA-CDOT”
Step 4) And in
our OU “NA-CDOT”, create a new AD Machine account with the name of the CIFS
server that’s going to be joined - here we call in “NASVM01”.
Image 3: NASVM01 AD
Computer account in the OU “NA-CDOT”
Step 5)
Right-click on the OU “NA-CDOT” and select ‘Delegate Control...’
Image 4: Delegate
Control of the OU “NA-CDOT”
Step 6) Delegation of Control Wizard: Welcome ...
Click Next >
Step 7) Delegation of Control Wizard: Users or
Groups
Add the “naadmins” group
Click Next >
Image 5: DoCW -
adding the naadmins group
Step 8) Delegation of Control Wizard: Tasks to
Delegate
Select the ‘Create
a custom task to delegate’
Click Next >
Image 6: DoCW -
Tasks to Delegate
Step 9) Delegation of Control Wizard: Active
Directory Object Type
Select the ‘Only
the following objects in the folder’
Tick the ‘Computer
objects’ check box
Click Next >
Image 7:DoCW -
Active Directory Object Type
Step 10) Delegation of Control Wizard: Permissions
Tick the ‘Creation/deletion
of specific child objects’ check box
And from the ‘Permissions‘
list:
Tick ‘Reset
password’
Tick ‘Read and
write account restrictions’
Tick ‘Validated
write to DNS host name’
Tick ‘Validated
write to service principal name’
Click Next >
Image 8: DoCW -
Permissions (‘Reset password’ is not on screen)
Step 11) Delegation of Control Wizard: Completing...
Click Finish
Step 12) Test
it works!
NACLU01::>
cifs server create -cifs-server NASVM01
-domain lab.priv -vserver NASVM01.lab.priv
In order
to create an Active Directory machine account for the CIFS server, you must
supply the name and password of a Windows account with sufficient privileges...
Enter
the user name: netappadmin
Enter
the password:
Warning:
An account by this name already exists in Active Directory at
CN=NASVM01,OU=NA-CDOT,OU=~LAB-SYSTEMS,DC=lab,DC=priv
Ok to reuse this account? {y|n}: y
NACLU01::>
cifs server show
Server Status Domain/Workgroup Authentication
Vserver Name Admin Name Style
-----------
--------------- --------- ---------------- --------------
NASVM01.lab.priv
NASVM01 up LAB domain
BONUS 1:
Allowing NetApp administrators to update their system’s Service Principal Names
(SPNs)
In ‘Delegation of
Control Wizard: Permissions’ (Step 10 above) there is an additional
permission that could be really useful for your NetApp administrator to have
(if you’ve been reading some of my recent posts on Kerberos, SPNs, and site
failover.) In the ‘Property-specific’ section, there is the permission ‘Write servicePrincipalName’ which will
allow your NetApp administrator to delete and append SPNs to their NetApp CIFS
Server’s machine account.
Image 9: DoCW - Add
the permission ‘Write
servicePrincipalName’
BONUS 2: Active
Directory Permissions to allow AD Computer Account Domain Join
The following security options cannot be specified on an
OU, but, if you’re Active Directory administrator does not want to delegate
permission of an OU, they could just assign the following permissions on the AD
computer account for the NetApp Administrator:
Reset password =
Allow
Validated write to
DNS host name = Allow
Validated write to
service principal name = Allow
Read account restrictions
= Allow
Write account
restrictions = Allow
Note: For allowing
a NetApp Administrator to update SPNs (as in BONUS 1), there are no options
under the AD Computer Accounts security settings to allow this, it needs to be
done using Delegation of Control.
THE END
Comments
Post a Comment