How to Grant Rights to be able to Manage Computer Accounts using the Provisioning Services Console

How to Grant Rights to be able to Manage Computer Accounts using the Provisioning Services Console

book

Article ID: CTX121201

calendar_today

Updated On:

Description

This article describes how to delegate rights to the user or group to allow adding workstations to an Active Directory (AD) domain using the Provisioning Server console.

Background

While it is possible to assign AD users or groups to Built-In groups within AD to enable this functionality (such as Domain Administrators or Account Operators), the Built-In groups might grant additional roles that are not explicitly required, which could pose a security risk. The process outlined in this article grants only the roles needed to add and remove workstations to the domain, and to reset the machine account passwords for those workstations.

Instructions

Complete the following steps to grant rights to manage computer accounts:

  1. On the Windows Domain Controller, open the Active Directory Users and Computers snap-in from Administrative Tools.

  2. Right-click the root domain object and select Delegate Control, as displayed in the following screen shot.

    User-added image

  3. Go through the Wizard and add any users or groups that you want to grant the role.
    The best practice is not to add individual users. Instead, use groups to make managing the role easier. If a Provisioning Server Farm Administrator group has been created to manage Provisioning Server, this group can be added to allow those users to add workstations to the domain.User-added image

  4. Select the Join a computer to the domain role check box and finish the Wizard.

    User-added image
Note: The preceding procedure grants privileges to join workstations to a domain but it does not grant rights to rejoin or delete workstation accounts. To grant this privilege, complete the following procedure:
These steps use a tool called ADSI Edit. This tool is included with Windows Server 2003 and 2008. For Windows Server 2000, this tool is available as a separate installation on the Windows 2000 Server installation CD.

  1. Go to Start > Run and type adsiedit.msc into the run field and click OK.

  2. On the root DC object, right-click and select Properties, as displayed in the following screen shot.

    User-added image

  3. Under the Security tab, select the account that was assigned to Join a computer to the domain role from the previous procedure and click Advanced.

    User-added image

  4. Select the account again and click Edit.

    User-added image

  5. Select Allow check box for the Delete Computer Objects role.

    User-added image
  6. Click OK to accept all changes and close ADSI Edit.

Issue/Introduction

How to Grant Rights to be able to Manage Computer Accounts using the Provisioning Services Console

Additional Information

Citrix Documentation - Active Directory
Citrix Documentation - Provisioning Services 7.6

Powered by Wolken Software