Forum Discussion

IemSaifi's avatar
IemSaifi
MCT
Jul 31, 2025

Access rights on domain controller

<p> I have three support team members, and I want to restrict their permissions so they only have rights to join computers to the domain and install software. Currently, someone from the team is freq...
Active Directory (AD)
GulnazMushtaq's avatar
GulnazMushtaq
Learn Expert
Jul 31, 2025

Hi IemSaifi​ 

Try the following solutions:

 

Manage a team who can join Computers to the Domain:

 

Open Active Directory Users and Computers. First create an AD Security Group for your support team for example SupportTeam-JoinDomain

 Now create an OU where computer objects will be created (e.g., Workstations).

Now right-click the OU --> Delegate Control and add the SupportTeam-JoinDomain group into that and go to Next

In the wizard, choose Create a custom task to delegate

Choose the option Only the following objects in the folder

Here check the option Computer objects

Then check the option Create selected objects in this folder

The second option Delete selected objects in this folder is optional, only if they should also remove computers

Now do Next

On the Permissions page, check following options:

Reset Password

Read and write account restrictions

Validated write to DNS host name

Validated write to service principal name

 

Install Software Locally without giving high level domain rights:

 

Create another security group for example LocalAdmins-SupportTeam

Open Group Policy Management console

Create a new GPO e.g., Local Admins Support Team, link it to the OU containing your computers.

Edit the GPO and follow the following path:

Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups

Here, right-click > New > Local Group.

      • Group Name: Administrators (built-in)
      • Action: Update
      • Add members: Add the group LocalAdmins-SupportTeam

Add your support team members to LocalAdmins-SupportTeam

They will now be local administrators only, not domain admins.