Discussion about Re/Joining and moving a computer object #4
Description
Hi,
a) joining
Template 300: Join a computer to the domain is basically also "only" create computer object.
Same as in the GUI delegation wizard from Microsoft.
That should be enough for joining a new computer to the domain.
b) rejoining
But sometimes you also need to rejoin a computer to an existing computer object.
There are many articles around that topic, each a little bit different:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/access-denied-when-joining-computers
https://www.moderndeployment.com/correct-domain-join-account-permissions/
https://morgansimonsen.com/2013/12/17/delegating-computer-object-management-tasks-2/
According to the Microsoft article, a delegated admin would need that additional permissions to rejoin to an existing computer
Create Computer Object Template ID301
Delete Computer Object Template ID302
Reset Password Template ID306
Read and write Account Restrictions no Template?
Validated write to DNS host name no Template?
Validated write to service principal name no Template?
c) Delegate Moving a Computer Object
For moving a computer object we need
Create Computer Object in the Target OU Template ID301
Delete Computer Object in the Source OU Template ID302
Read all Properties no template?
Write all Properties no template?
So i want to suggest a new template for
@{
ID = 310
Description = 'Template 310: Read/Write Properties of computer accounts'
AppliesTo = 'domainDNS,organizationalUnit,container'
Template = @(
@{ Class = 'computer'; Property = '@'; Right = 'RP' },
@{ Class = 'computer'; Property = '@'; Right = 'WP' }
)
},
It this makes sense for you, please add the templates.
Also, maybe consider moving the templates into a JSON file, for easy changing outside of the code?
kind regards
Peter