I’m in the process of rebuilding my home lab and right now I have reached the point where I need to join my VMware ESXi hosts to the Active Directory infrastructure that makes up my lab domain. To do this I will setup a service account with delegated control to join computers to the domain. Delegation is a nice way of ensuring we don’t provide more permission than is necessary to an account or group or accounts which need to perform a function. I have seen many instances of people granting domain admin or equivalent permissions to accounts so that ‘it works’ when really they should have taken the time to understand what was actually required and only delegated those rights. Always work on the principle of least privilege, only grant the permissions that are required and nothing more.
First we will open Active Directory Users and Computers (dsa.msc), right-click on the domain object and select Delegate Control.
This will cause a new wizard menu to open, click Next to proceed.
The first step is to select the user or group that we wish to delegate control to by clicking on the Add button and then entering the name of the user or group in the pop-up window. In my case it is a service user account I’m adding named sa.vmware.adjoin.
Having clicked OK the wizard will show my selected account and we are ready to proceed to the next step. The wizard will ask which tasks should be delegated to the user – we can either select from a list of common controls or choose to build our own. In this case there is already an option for joining a computer to the domain.
With the relevant option selected we can click Next and complete the wizard.
Now that control has been delegated the service account has the necessary permissions to join new computers to the domain.