PowerShell: Granting Computer Join Permissions

The principle of least privilege, as applied to Active Directory (AD), means that users should be granted only the minimum permissions necessary to complete their job functions. Here's how you can work towards that a little more easily with PowerShell.

Bill Stewart

April 19, 2016

5 Min Read
PowerShell: Granting Computer Join Permissions

Get the Script: Grant-ComputerJoinPermission.ps1

The principle of least privilege, as applied to Active Directory (AD), means that users should be granted only the minimum permissions necessary to complete their job functions. The larger the organization, the more likely it is that AD permissions are delegated to various groups. A common example is granting a service desk team permission to reset passwords and unlock user accounts. See the Delegating administration topic in the product documentation, https://technet.microsoft.com/en-us/library/cc778807.aspx, for more information about AD delegation.

The principle of least privilege also applies to the management of computer accounts. By default, domain users can create and join up to 10 computers to the domain. You can change this value in a domain by modifying the ms-DS-MachineAccountQuota attribute, as noted in the Microsoft knowledge base article Default limit to number of workstations a user can join to the domain (https://support.microsoft.com/en-us/kb/243327). Many domain administrators change this setting to zero in order to enforce compliance with organizational processes and standards (for example, to prevent users from creating arbitrary computer names). As a result, many organizations need to delegate permissions to join computers to the domain.

Granting Permission to Join Computers to the Domain

You can grant computer join permissions when creating a computer account by clicking the Change button in the standard Microsoft GUI tools (see Callout 1 in Figures 1 and 2).

The Change button in the ADUC and ADAC GUIs works by granting a set of permissions on the computer object. Let’s take a look at how we would manually grant the permissions, and then I will introduce a PowerShell script you can use to automate the process.

Manually Granting Join Permissions Using the GUI

Here’s how to manually grant join permissions to a computer account using the ADUC console:

1. On the View menu, enable the Advanced Features option. (Otherwise, the Security tab for AD objects won’t be visible.)

2. Double-click a computer object to display its properties, then choose the Security tab.

3. Click the Add button, choose a user or group that will be able to join the computer, then select the check boxes under the Allow column for Reset password, Validated write to DNS host name, Validated write to service principal name, and Write account restrictions, as shown in Figure 3, then click Apply.

Manually granting computer join permissions using either the Change button or the Security tab is slow and error-prone, so let’s take a look at how we can automate the process with a PowerShell script.

Grant-ComputerJoinPermission.ps1

I wrote the Grant-ComputerJoinPermission.ps1 script to grant the four required permissions (see Figure 3) for one or more computer accounts. The script’s syntax is as follows:

Grant-ComputerJoinPermission [-Identity] identity [-Name] computername [-Domain domain] [-Credential credential] [-WhatIf] [-Confirm]

The -Identity parameter specifies who will be able to join computers to a domain. You can specify this parameter using the format username (e.g., kendyer), domainusername (e.g., fabrikamkendyer), or username@domain (e.g., [email protected]). The parameter name (-Identity) is optional if you specify it first on the command line. This parameter does not support wildcards.

The -Name parameter specifies the names of one or more computer accounts. You can omit the parameter name (-Name) if you place the computer account name(s) second on the script’s command line. This parameter accepts pipeline input, so you would also omit the parameter name if you pipe computer names to the script. This parameter does not support wildcards.

The -Domain parameter specifies the name of the domain where the computer account(s) reside(s) (e.g., fabrikam or fabrikam.com).

The -Credential parameter specifies the credentials that have permissions to grant the permissions to the computer account(s). You can use this parameter If you are logged on using an account that doesn’t have sufficient permissions to grant the permissions of the computer account(s).

The -WhatIf and -Confirm parameters behave as they do in PowerShell cmdlets: -WhatIf tells what actions the script will perform without performing them, and -Confirm prompts for confirmation before taking any action.

Sample Commands

1. Grant the kendyer account permission to join the computer pc1 to the domain:

Grant-ComputerJoinPermission kendyer pc1

2. Grant the kendyer account permission to join a list of computers to the domain:

Get-Content Computers.txt | Grant-ComputerJoinPermission kendyer -Verbose

In this example, the file Computers.txt contains a list of computer names (one per line). PowerShell will display the changes it makes because of the -Verbose parameter.

3. Grant the kendyer account to join the computer pc1 to the domain using alternate credentials:

Grant-ComputerJoinPermission kendyer pc1 -Credential (Get-Credential)

In this example, the Get-Credential cmdlet prompts for credentials, and PowerShell uses the credentials you enter for the -Credential parameter. (The parentheses around Get-Credential are required.)

4. Create a new computer account and grant the kendyer account permission to join it to the domain:

New-ADComputer SALES1 -Path "OU=Sales,DC=fabrikam,DC=com" -PassThru |  Grant-ComputerJoinPermission kendyer

In this example, the New-ADComputer cmdlet creates the computer object and outputs it using the -PassThru parameter. The computer object is then piped to Grant-ComputerJoinPermission.ps1, which grants the kendyer account permission to join the computer to the domain.

5. Create a list of computer accounts in an OU and grant the lynndyer account permission to join them to the domain:

Get-Content Computers.txt | ForEach-Object {  New-ADComputer $_ -Path "OU=Sales,DC=fabrikam,DC=com" -PassThru} | Grant-ComputerJoinPermission lynndyer

In this example, the Computers.txt file contains a list of computer names, one per line.

Automating Granting of Join Permissions

Granting permission to join computers to the domain no longer needs to be a slow and error-prone GUI process. You can now automate the process in PowerShell using Grant-ComputerJoinPermission.ps1.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like