Active Directory permissions required to join Linux and Windows Computers to a Domain

I recently ran into an issue where i needed to create a service account with bare minimum permissions to add a Windows and a Linux server to a domain. Windows was fairly easy to join it only requires the 5 permissions but the Linux server was throwing all kinds of errors. Linux servers require addition permissions to join to AD through realm join or adcli.

ADDING THE DELEGATION

1. Open the Active Directory Users and Computers.
2. Create a new OU called Linux.
3. Right-click on the Linux OU container and select Delegate control.
4. Click Next.
5. Click Add and select the service account “joinad_svc@mylab.local” and click Next.
6. Select Create a custom task to delegate and click Next.
7. Select Only the following objects in the folder and check “Computer objects” from the list.
8. Place check-marks beside “Select the options Create selected objects in the folder” and “Delete selected objects in this folder”. Click Next.
9. Select General and Property-specific, select the following permissions from the list.

Standard permissions required to join systems to AD (Linux and Windows)

-Reset password
-Read and write account restrictions
-Validated write to DNS host name
-Validated write to service principal name
-Read and write DNS host name attributes

Additional permissions required by Linux machines to join AD (Linux)

-Read dNSHostName
-Write dNSHostName
-Read msDS-AddtionalSamAccountName
-Write msDS-AddtionalSamAccountName
-Read msDS-SupportedEncryptionTypes
-Write msDS-SupportedEncryptionTypes
-Read Operating System
-Write Operating System
-Read Operating System Version
-Write Operating System Version
-Read OperatingSystemServicePack
-Write OperatingSystemServicePack
-Read servicePrincipalName
-Write servicePrincipalName
-Read userAccountControl
-Write userAccountControl
-Read userPrincipal Name
-Write userPrincipal Name

Click Next.
Click Finish.

REVOKING THE DELEGATION

1. Open the Active Directory Users and Computers console as domain administrator.
Right-click to the container or organizational unit (OU) you want to revoke the permissions and select Properties.
3. Navigate to the security tab.
4. Remove the service account the permissions.
5. Click OK.

This entry was posted in Linux, Microsoft and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *