Thursday, May 01, 2014

Advanced Topic: How to Give Rights to Add Unlimited Devices to yourDomain without giving Domain Admin Rights

If you work on a larger network there will always be an example of when you need IT staff to have more permissions to accomplish certain tasks, while hoping to keep them from having the keys to the castle.  Making all of your staff domain admins with full access to everything will allow them to do any tasks that come their way, but can also be risky.  When faced with this decision, as network administrators or IT Directors, the challenge we are really facing is finding the right balance between getting the work done quickly which may increase risk, or having the work take a little longer thereby reducing the risk.  The decision we make can be based on many things including:
  • Who is being affected by a particular issue
  • How much we know and trust the person we are giving the increased access to
  • The work environment itself
  • The nature of the data we are trying to protect
  • A variety of other factors
One permission that can easily be given, without giving full access to the entire network, is the permission to add unlimited devices to the domain.  Adding devices to the domain is necessary for any newly purchased devices, devices that have been rebuilt due to a hardware or software failure, renaming a device, in addition to various other issues and troubleshooting.  

To assign this permission to users or groups, follow the steps below:

  1. Log into a server running Active Directory and click on "Active Directory Users and Computers".
  2. Right-click whichever container you want to add the new devices to (often "Computers"), then select "Delegate Control" from the menu.

  3. In the Delegation of Control Wizard introduction screen click "Next".

  4. Click "Add" to add the users or groups you want to assign the new permission to.

  5. Add the users or groups until you are finished, then click "Next".

  6. In the Tasks to Delegate window, click the radio button at the bottom to "Create a Custom Task to Delegate", then click "Next".

  7.  In the Active Directory Object Type window, click the radio button for "Only the following objects in the folder:".  Place a check box in the object for "Computer Objects".  Last, place a check box next to "Create selected objects in this folder" and click "Next".

  8. In the Permissions window, under General, check the box for the following items then click "Next":
    1. Reset password
    2. Read and write account restrictions

    3. Validated write to DNS host name
    4. Validated write to service principal name

  9. In the Summary window click Finish.

Although this process can seem tedious, it is in fact rather fast. Also, if you assign the permission to a group, all you would have to do is add or remove users from the group at any time which takes less than a minute. Overall, if you had a need for specific users to be able to add unlimited devices to your domain, yet did not want to give them full domain admin access, this process can be well worth the effort to accomplish both of those. 

No comments:

Post a Comment