IT Officer Joins a Computer to the Domain

 To allow an IT officer to join client computers to the domain but restrict their ability to delete objects in Active Directory (AD), you can create a custom delegation in AD with specific permissions. Here’s how you can do it:

Step-by-Step Guide

1. Open Active Directory Users and Computers (ADUC)

   • Press Win + R, type dsa.msc, and press Enter.

2. Delegate Control to the IT Officer

   • In the ADUC console, right-click the Organizational Unit (OU) where you want to allow the IT officer to join computers to the domain (e.g., Computers or a specific OU).
   • Select "Delegate Control...".

3. Delegation of Control Wizard

   • Click "Next" on the Welcome screen.
   • Click "Add..." to add the user or group (e.g., the IT officer or a group of IT officers).
   • Enter the name of the user or group and click "OK", then "Next".

4. Choose Tasks to Delegate

   • Select "Create a custom task to delegate" and click "Next".
   • Choose "Only the following objects in the folder" and check "Computer objects".
   • Ensure "Create selected objects in this folder" is checked. Do not check "Delete selected objects in this folder".
   • Click "Next".

5. Specify Permissions

   • Check "Read", "Write", and "Reset Password".
   • Also, check the following specific permissions if they are listed:
     • Validated write to DNS host name
     • Validated write to service principal name
     • Write account restrictions
   • Click "Next" and then "Finish".

Verify the Permissions

1. Open Active Directory Users and Computers (ADUC)
   • Navigate to the OU where the delegation was set.
   • Right-click the OU and select "Properties".
   • Go to the "Security" tab and click "Advanced".
   • Look for the permissions assigned to the IT officer or group to ensure they are set correctly.

Adding a Computer to the Domain

1. IT Officer Joins a Computer to the Domain
   • The IT officer can now join computers to the domain by right-clicking This PC, selecting Properties, and then Change settings under Computer name, domain, and workgroup settings.
   • Click on Change, select Domain, and enter the domain name.
   • Provide credentials when prompted.

Prevent Deletion of Objects

Since the IT officer only has permissions to create and not delete computer objects, they will be unable to delete computers from the AD. The permissions granted are specific to creating and managing computer accounts without the ability to remove them.

Testing and Validation

1. Test the Permissions
   • Have the IT officer join a computer to the domain and verify that it appears in the specified OU.
   • Attempt to delete a computer object to ensure the deletion is not permitted.

By following these steps, you can ensure that the IT officer has the necessary permissions to join computers to the domain while preventing them from deleting any objects in Active Directory.