This is a quick post to describe the process of creating a dedicated account for joining machines to an Active Directory (AD) domain. This is useful for things like System Center Configuration Manger task sequences and System Center Virtual Machine Manager templates.
First create a standard Windows user account. Next, right-click on the Computers Organisation Unit (OU) within your AD domain. From the menu choose Delegate Control…
On the next screen (Users or Groups) choose Add and select the user account you just created. Click Next. Choose “Create a custom task to delegate” on the next screen.
Next, choose to only delegate control to computer objects and tick Create and Delete selected objects in this folder. Click Next.
On the next screen choose to show general permissions and from the list select:
- Reset password
- Read and write account restrictions
- Validated write to DNS host name
- Validated write to service principal name
Click Next and finish to complete the wizard. Repeat this process for any other OUs where you’ll be joining computers to the domain.
Adding AD users to the local administrators group on multiple computers is simple using Group Policy. In this post I’ll describe the process.
Create a fresh group policy object (GPO) and link it to a test Organisation Unit (OU). Add a test server to the OU.
Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.
Right click and choose Add Group. If you want to add users to the local administrators group enter Administrators. In the next window under “Members of this group:” click Add and choose the users to add to the local administrators group. Note that any users that are currently in the local administrators group will be removed and replaced with the users you select here. If that is what you want click OK and close the GPO.
The second method allows you to add an AD security group to the local administrators group. This process is additive and users and groups that are currently in the local administrators group are untouched.
Navigate to Restricted Groups as previous, right click and choose Add Group. This time enter the name of the AD security group you wish to add to the local administrators group. Click Ok and on the next screen in the “This group is a member of:” section click Add. Enter Administrators to add the group to the local administrators group. Click OK and close the GPO to save changes. You can add additional users to the domain group and they will automatically be part of the local administrators group on servers that apply the GPO.