Delegating permissions when preparing a computer account

When you prepare a computer account, you have the option to grant a specific user, group, or computer account the administrative permissions required to perform two separate tasks:

  • The permissions required to join the computer account to the domain.
  • The permissions required to set and manage computer-level overrides

In most cases, you should select both options even if you want to grant different accounts the permissions required to perform each task.

However, it is possible to create a computer account and not delegate permission for computer-level overrides by deselecting the Delegate permission for machine overrides option. If you deselect this option, you are the only administrator who can set profile or role assignment overrides for the computer. No other user or group will be granted the permissions required to set or manage computer-level override for user profiles or role assignments.

Likewise, it is possible to delegate permissions for computer-level overrides without preparing the computer to join the domain by deselecting the Prepare computer for adjoin option. If you deselect this option, the computer icon appears in the zone, but the Active Directory computer object and service connection point are not created. The designated trustee can set computer-level override for user profiles or role assignments. No other user, group, or computer account will be specifically granted the permissions required to join the domain.

If any authenticated user can add computers to the domain, then any user with a valid domain account can join Linux and UNIX computers to the domain. If adding computers to a domain requires an administrative account, only the administrator who creates the computer account can join it to Active Directory. For more information about who can add computers to a domain, see Identifying who can add computers to the domain.