0

Following principle of Least-Privilege Administrative Model I'm making custom group for managing domain, that would be less privileged than Domain Administrator. For starters it should have permission for adding computer to a domain.

I'm testing many different ways of achieving this and I came across this article from Microsoft: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/access-denied-when-joining-computers

It states:

Locate and right-click the OU that you want to modify, and then select Delegate Control.

But I'm not sure what OU I should actually pick and I couldn't find any explanation inside the article (or am I blind?).

So which OU should it be? Built-in Computers? OU where I want the computer to ultimately reside (like custom OU "Servers" or "Workstations")? Something else?

Currently I delegated control over the whole domain (I have single domain in my environment) and it is working, but I'm not sure it is either secure or good practice?

AnJ
  • 151
  • 1
  • 6
  • The "correct" OU is the OU in which you want the computer objects to be created. – Semicolon Jul 28 '21 at 15:36
  • I honestly thought all computers land in "Computers" OU. That is no the case? – AnJ Jul 28 '21 at 17:25
  • 1
    “Computers” is not an OU, it’s a container. That’s the default path; but you can specify your desired path when jointing a machine, or you can use the redircmp command to change the default path for new computers. – Semicolon Jul 28 '21 at 17:33

1 Answers1

0

Your AD environment should be organized in a way that best suits your/your company's needs.

A common approach is to create OUs for individual departments and having sub OUs for Computers and Users.

Then, for example, if you want to delegate control to someone for only one department, you would pick the OU representing that department and delegate control there.

AutoGnome
  • 161
  • 6
  • This was not my question. I have OU structure ready but I didn't know where should I delegate control for adding computers to a domain. On whole domain, on Computers container, on my custom OU etc. Anyway - Semicolon cleared my doubts in the comments – AnJ Aug 05 '21 at 13:50