set "the following user or group can join to a domain" after creating the computer

Question

I have come across an issue where a user can create a computer in AD, nobody else can join the computer to the domain except for the user who created it in AD.

When creating the computer in admin tools there is an option titled "the following user or group can join to a domain" if this is set to a certain group then that group can join to the domain.

When I look at the properties of a computer in the admin tools I cannot find this setting anywhere.

Where do I find this setting? Can this setting be changed using a script?

Answer 1

This isn't really a setting, but rather permissions. What the wizard does, is assigning the required permissions required to join a computer to that computer-object on the object for the user/group that you specified.

Usually what people do is adding a user to a ADgroup which has the required permissions to join computers; permissions being assigned on a parent container of the computers with inheritance enabled.

If you need to make only THAT person be able to join THAT computer, you would need to script it. Ex:

• Create a computer-object and choose a specific user in the wizard.
• Use ADSI or Powershell etc. to export the ACLs created for the specified user on that computer object
• Create a script that assigns the same permissions for a specified user on a specified computer.