Score:0

On which OU should we delegate permissions for adding computer to a domain - clarify microsoft docs

cn flag
AnJ

Following principle of Least-Privilege Administrative Model I'm making custom group for managing domain, that would be less privileged than Domain Administrator. For starters it should have permission for adding computer to a domain.

I'm testing many different ways of achieving this and I came across this article from Microsoft: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/access-denied-when-joining-computers

It states:

Locate and right-click the OU that you want to modify, and then select Delegate Control.

But I'm not sure what OU I should actually pick and I couldn't find any explanation inside the article (or am I blind?).

So which OU should it be? Built-in Computers? OU where I want the computer to ultimately reside (like custom OU "Servers" or "Workstations")? Something else?

Currently I delegated control over the whole domain (I have single domain in my environment) and it is working, but I'm not sure it is either secure or good practice?

Semicolon avatar
jo flag
The "correct" OU is the OU in which you want the computer objects to be created.
AnJ avatar
cn flag
AnJ
I honestly thought all computers land in "Computers" OU. That is no the case?
Semicolon avatar
jo flag
“Computers” is not an OU, it’s a container. That’s the default path; but you can specify your desired path when jointing a machine, or you can use the redircmp command to change the default path for new computers.
Score:0
us flag

Your AD environment should be organized in a way that best suits your/your company's needs.

A common approach is to create OUs for individual departments and having sub OUs for Computers and Users.

Then, for example, if you want to delegate control to someone for only one department, you would pick the OU representing that department and delegate control there.

AnJ avatar
cn flag
AnJ
This was not my question. I have OU structure ready but I didn't know where should I delegate control for adding computers to a domain. On whole domain, on Computers container, on my custom OU etc. Anyway - Semicolon cleared my doubts in the comments
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.