Active Directory rights delegation – part 1


In my previous article we discussed methods about Active Directory rights delegation This time you will see who to change and restrict users who can add workstations to the domain.

By default in Active Directory environment, each “Authenticated User” can add up to 10 workstations to the domain. After reaching a limit, user is unable to add new workstations anymore. However, 10 workstations is really a big number and it follows into security issue. Domain Administrators should take care about that and disallow for this activity for regular domain users.

Note! Authenticated User” is each user who successfully has logged on into domain.

Note2! By default only “Domain Admins” are able to add unlimited number of workstations to the domain.

To change that behavior you need to modify one setting within “Default Domain Controller” policy. This setting is called “Add workstations to domain” and it is available under

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment

and as you can see, its default configuration value is Authenticated Users

Add workstations to domain – default value

You should consider changing this setting to secure your environment. You can simply remove “Authenticated Users” group there and put “Domain Admins” only. But in Active Directory rights delegation concept, it is good to do that a little bit different way.

I would prefer creating domain local group which is assigned in a policy and then each other global group (privileged to that action) is nested within it. In Active Directory Users and Computers, create empty domain local security group named “dlg-join-computers-to-domain” and replace “Authenticated Users” group in “Default Domain Controller” policy by the new one.

Domain local security group

Now, open Group Policy Management Console and edit “Default Domain Controller” policy

Editing Default Domain Controller policy

Navigate to node “Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment” and edit “Add workstation to domain” setting, by double click on it

Editing Default Domain Controller policy

Select available group in a windows and click on “Remove” button

Removing Authenticated Users from policy setting

Add there newly created domain local security group to allow adding workstations to the domain

Adding new group

Adding new group

Apply changes and you have disallowed “Authenticated Users” adding workstations in your domain

Adding new group

Now, you can see that in “Default Domain Controller” policy, the setting is changed

New policy setting

That would be enough except one small thing. The group is empty, there are no members 🙂 So, at least place there “Domain Admins” group to allow domain administrators adding workstations to domain

Granting domain administrators possibility to add computers to domain

At this moment, you can consider one more thing. Due to rights delegation concept, you may wish to allow also other users add possibility of joining computers into domain. Now, it is really easy task. You need to only add another allowed group into domain local security group “dlg-join-computers-to-domain“. First of all, create in Active Directory Users and computers console new global security group called “gg-join-computers-to-domain” and make it a member of “dlg-join-computers-to-domain” local group.

Creating global security group

Adding global group to local group

You need to change one more thing in AD to finalize your concept. Domain local group needs a permissions to join computer objects within domain, because when you join new workstation, its account must be created. When configuration is not changed then this is “Computer” container.

Default computer objects location

To check details about delegating control, please read my previous article

The last step is granting this group appropriate right. Please follow below steps to achieve that

Delegating rights

Delegating rights – next step

Delegating rights – next step

Delegating rights – next step

Delegating rights – next step

Delegating rights – next step

From now, you can simply control, users allowed for joining computers to domain. Add them directly into your global group called “gg-join-computers-to-domain” and that’s all.

<<< Previous part

Next part >>>

Author: Krzysztof Pytko


7 responses to “Active Directory rights delegation – part 1”

  1. Just let me post anonymously says :

    “Join a computer to the domain” is not listed as a task when I go to delegate rights.

    • iSiek says :

      Have you followed exact steps from that article? If so, please tell me what do you see (please post a screen if possible)


  2. Michel Laos says :

    I used the same but I have an issue if the computer exist do not work, do not replace. I need to delete the computer first.

    Maybe you know how to resolver this issue.

    I want to put the same computer in the domain and replace it. If Iam domain admin I can to do this.

    • Stoyan says :

      Hello Michel,
      I see old post, but still can be useful to someone.

      Setting these 4 permission works for me to replace existing computers:

      Allow whoever Create/Delete computer objects This obj. and all descendant..
      Allow whoever Read/Write account restrictions Descendant computer objects
      Allow whoever Validated write to service principal name Desc. comp. objects
      Allow whoever Validated write to DNS host name Descendant computer obj.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.