How to Create a Least-Privilege AD Account for Computer Object Management: Joining Domains, Deleting/Moving Computers


4 views

When automating Active Directory computer object management, we need an account with precisely scoped permissions that can:

  • Perform unlimited domain joins (bypassing the default 10-computer limit)
  • Query computer objects across the directory
  • Remove stale computer accounts
  • Reorganize computers between OUs

Instead of using Domain Admin, we'll create a dedicated service account with these delegated rights:


# Active Directory Rights Required
- Create/Delete Computer Objects
- Read All Properties
- Write All Properties
- Reset Password (for domain join)
- Validated Write to DNS Host Name
- Validated Write to Service Principal Name

First, create an Organizational Unit for your service accounts:


New-ADOrganizationalUnit -Name "ServiceAccounts" -Path "DC=domain,DC=com"
New-ADUser -Name "SVC_ADComputerMgmt" -Path "OU=ServiceAccounts,DC=domain,DC=com"

Then delegate control at the appropriate OU level:


# PowerShell delegation example
$Account = Get-ADUser -Identity "SVC_ADComputerMgmt"
$OU = Get-ADOrganizationalUnit -Identity "OU=Computers,DC=domain,DC=com"

$params = @{
    Identity = $OU
    Trustee = $Account
    AccessControlType = "Allow"
    AccessRule = @{
        ObjectType = "00000000-0000-0000-0000-000000000000" # Computer objects
        InheritanceType = "All"
        ActiveDirectoryRights = "CreateChild, DeleteChild"
    }
}
Add-ADPermission @params

To bypass the 10-computer limit, modify the default domain controller policy:


# Group Policy setting
Computer Configuration → Policies → Windows Settings → Security Settings
→ Local Policies → User Rights Assignment → "Add workstations to domain"
Add your service account to this right

Here's a PowerShell script that utilizes this account:


function Invoke-DomainJoin {
    param(
        [string]$ComputerName,
        [string]$TargetOU,
        [pscredential]$Credential
    )

    try {
        # Check if computer exists
        $computer = Get-ADComputer -Filter {Name -eq $ComputerName} -ErrorAction SilentlyContinue

        if ($computer) {
            # Move existing computer
            Move-ADObject -Identity $computer.DistinguishedName -TargetPath $TargetOU -Credential $Credential
        } else {
            # Join new computer (would normally run on target machine)
            Add-Computer -DomainName "domain.com" -OUPath $TargetOU -Credential $Credential -Force
        }
        
        return $true
    } catch {
        Write-Error $_.Exception.Message
        return $false
    }
}

Additional hardening measures:

  • Configure constrained delegation if the account needs to authenticate to multiple servers
  • Set logon hour restrictions
  • Enable auditing of all actions performed by this account
  • Store credentials in Azure Key Vault or similar secure solution

When managing Active Directory (AD), you often need an account with specific permissions rather than full domain admin rights. The goal is to create an account that can:

  • Join unlimited computers to the domain (bypassing the default 10-machine limit)
  • Query computer objects in AD
  • Delete stale computer accounts
  • Move computers between Organizational Units (OUs)

Here's the detailed permission set required for each operation:

Domain Join Permissions

To allow joining computers without the 10-machine limit:

dsacls "CN=Computers,DC=domain,DC=com" /G "DOMAIN\Account:CA;Computer"

Computer Account Management

For querying, deleting, and moving computer objects:

dsacls "OU=TargetOU,DC=domain,DC=com" /G "DOMAIN\Account:WP;computer"
dsacls "OU=TargetOU,DC=domain,DC=com" /G "DOMAIN\Account:WD;computer"
dsacls "OU=TargetOU,DC=domain,DC=com" /G "DOMAIN\Account:LC;computer"

Here's a PowerShell script to automate these permission assignments:

# Define parameters
$Account = "DOMAIN\LimitedAdmin"
$TargetOU = "OU=Computers,DC=domain,DC=com"

# Grant domain join permissions
dsacls "CN=Computers,$TargetOU" /G "$Account:CA;Computer"

# Grant computer management permissions
$Permissions = @("WP", "WD", "LC")
foreach ($perm in $Permissions) {
    dsacls $TargetOU /G "$Account:$perm;computer"
}

After setting up the account, test its capabilities:

# Test domain join (run on client machine)
Add-Computer -DomainName "domain.com" -Credential "DOMAIN\LimitedAdmin"

# Test computer management
Get-ADComputer -Filter * -SearchBase $TargetOU -Credential "DOMAIN\LimitedAdmin"
Move-ADObject -Identity "CN=Computer1,$TargetOU" -TargetPath "OU=NewOU,$TargetOU" -Credential "DOMAIN\LimitedAdmin"

When implementing this solution:

  • Always use the principle of least privilege
  • Regularly audit the account's activities
  • Consider implementing Just-In-Time access for elevated operations
  • Log all computer join and management operations