Jump to content
RESET Forums (homeservershow.com)

Allow users to join computers to domain - move to specific OU


xPETEZx
 Share

Recommended Posts

Hoping somebody has done this and can advise,

 

I need to allow a group of users to join computers to the domain. (We restrict this to IT folk)

I then need these computers to go to a specific OU.

 

So far, I have managed to get them joining systems to the domain, but not worked out how to ensure those objects create in the OU Id like.

 

The backup option is to allow them to move computers from the Computers OU to there OU. However... I think id need to give them too much rights on the computers OU to allow them to take objects from there. If going this route... Ideally Id restrict there permission only to objects they created. 

 

Anybody have suggestions?

 

I followed this to give them ability to join. Yet currently they create in default "Computers" OU. 

https://tom-bullock.com/2016/09/01/allow-domain-users-to-join-computers-to-the-domain/

Link to comment
Share on other sites

Hi xPETEZx,

 

As far as I know, you cannot Domain Join a computer into a specific OU during the join.

 

However, you can make it end up in a specific OU, but you have to pre-create the computer in the wanted OU first. And from what you are writing, it doesn't seem to be a feasible way.

 

Thanks,

 

Bjorn Dirchsen

  • Like 1
Link to comment
Share on other sites

2 hours ago, TheGuru said:

Hi xPETEZx,

 

As far as I know, you cannot Domain Join a computer into a specific OU during the join.

 

However, you can make it end up in a specific OU, but you have to pre-create the computer in the wanted OU first. And from what you are writing, it doesn't seem to be a feasible way.

 

Thanks,

 

Bjorn Dirchsen

 

I feared as much.

 

Wonder if I could create a powerShell they could use which first pre-creates the computer object, then joins it to domain.

Have it just prompt for there creds.

Link to comment
Share on other sites

  • 1 year later...

You can almost certainly do this but it would require some faffing around in user rights assignment to allow them to run certain scripts. I'd be very wary of allowing domain users to run PS scripts on a DC though, security nightmare.

 

What you could do instead is create a privileged users/power users security group in AD and add that into the relevant user rights assignment for running scripts. You might also have to add that group into a local administrators group somewhere.

 

I'd advise against this if it's production, much easier to let them join to the domain, then have a domain admin tidy AD up at a later date, which can also be done through URA :)

 

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...