Rejoin computer to domain powershell5/30/2023 ![]() The -WhatIf and -Confirm parameters behave as they do in PowerShell cmdlets: -WhatIf tells what actions the script will perform without performing them, and -Confirm prompts for confirmation before taking any action. You can use this parameter If you are logged on using an account that doesn’t have sufficient permissions to grant the permissions of the computer account(s). The -Credential parameter specifies the credentials that have permissions to grant the permissions to the computer account(s). The -Domain parameter specifies the name of the domain where the computer account(s) reside(s) (e.g., fabrikam or ). This parameter does not support wildcards. This parameter accepts pipeline input, so you would also omit the parameter name if you pipe computer names to the script. You can omit the parameter name (-Name) if you place the computer account name(s) second on the script’s command line. The -Name parameter specifies the names of one or more computer accounts. The parameter name (-Identity) is optional if you specify it first on the command line. You can specify this parameter using the format username (e.g., kendyer), domain\username (e.g., fabrikam\kendyer), or (e.g., ). The -Identity parameter specifies who will be able to join computers to a domain. Grant-ComputerJoinPermission identity computername I wrote the Grant-ComputerJoinPermission.ps1 script to grant the four required permissions (see Figure 3) for one or more computer accounts. Manually granting computer join permissions using either the Change button or the Security tab is slow and error-prone, so let’s take a look at how we can automate the process with a PowerShell script. Click the Add button, choose a user or group that will be able to join the computer, then select the check boxes under the Allow column for Reset password, Validated write to DNS host name, Validated write to service principal name, and Write account restrictions, as shown in Figure 3, then click Apply. Double-click a computer object to display its properties, then choose the Security tab.ģ. (Otherwise, the Security tab for AD objects won’t be visible.)Ģ. On the View menu, enable the Advanced Features option. Here’s how to manually grant join permissions to a computer account using the ADUC console:ġ. Manually Granting Join Permissions Using the GUI Let’s take a look at how we would manually grant the permissions, and then I will introduce a PowerShell script you can use to automate the process. The Change button in the ADUC and ADAC GUIs works by granting a set of permissions on the computer object. ![]() You can grant computer join permissions when creating a computer account by clicking the Change button in the standard Microsoft GUI tools (see Callout 1 in Figures 1 and 2). Granting Permission to Join Computers to the Domain As a result, many organizations need to delegate permissions to join computers to the domain. Many domain administrators change this setting to zero in order to enforce compliance with organizational processes and standards (for example, to prevent users from creating arbitrary computer names). You can change this value in a domain by modifying the ms-DS-MachineAccountQuota attribute, as noted in the Microsoft knowledge base article Default limit to number of workstations a user can join to the domain ( ). By default, domain users can create and join up to 10 computers to the domain. The principle of least privilege also applies to the management of computer accounts. See the Delegating administration topic in the product documentation,, for more information about AD delegation. A common example is granting a service desk team permission to reset passwords and unlock user accounts. The larger the organization, the more likely it is that AD permissions are delegated to various groups. The principle of least privilege, as applied to Active Directory (AD), means that users should be granted only the minimum permissions necessary to complete their job functions. Get the Script: Grant-ComputerJoinPermission.ps1
0 Comments
Leave a Reply. |