Forum Discussion

IemSaifi's avatar
IemSaifi
MCT
Jul 31, 2025

Access rights on domain controller

<p> I have three support team members, and I want to restrict their permissions so they only have rights to join computers to the domain and install software. Currently, someone from the team is frequently changing permissions, leading to confusion and blame-shifting. I’d like to prevent this by properly delegating roles.

We are using on-premises Active Directory with Windows Server 2022, and all users authenticate via the domain controllers. Could you please guide me on how to set up these specific permissions?

I tried delegations but had no luck. </p>

Active Directory (AD)

1 Reply

  • GulnazMushtaq's avatar
    GulnazMushtaq
    Learn Expert
    Jul 31, 2025

    Hi IemSaifi​ 

    Try the following solutions:

     

    Manage a team who can join Computers to the Domain:

     

    Open Active Directory Users and Computers. First create an AD Security Group for your support team for example SupportTeam-JoinDomain

     Now create an OU where computer objects will be created (e.g., Workstations).

    Now right-click the OU --> Delegate Control and add the SupportTeam-JoinDomain group into that and go to Next

    In the wizard, choose Create a custom task to delegate

    Choose the option Only the following objects in the folder

    Here check the option Computer objects

    Then check the option Create selected objects in this folder

    The second option Delete selected objects in this folder is optional, only if they should also remove computers

    Now do Next

    On the Permissions page, check following options:

    Reset Password

    Read and write account restrictions

    Validated write to DNS host name

    Validated write to service principal name

     

    Install Software Locally without giving high level domain rights:

     

    Create another security group for example LocalAdmins-SupportTeam

    Open Group Policy Management console

    Create a new GPO e.g., Local Admins Support Team, link it to the OU containing your computers.

    Edit the GPO and follow the following path:

    Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups

    Here, right-click > New > Local Group.

        • Group Name: Administrators (built-in)
        • Action: Update
        • Add members: Add the group LocalAdmins-SupportTeam

    Add your support team members to LocalAdmins-SupportTeam

    They will now be local administrators only, not domain admins.