Setting permissions to join or leave the domain

To join a UNIX computer to an Active Directory domain without predefining a computer account, your Active Directory user account must be set with the following permissions:

Select this target object	To apply these permissions
Parent container object for computer accounts For example: domain/UNIX/Servers	On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint Objects Note You can grant this permission to specific users or groups by selecting the Join computers task in the Zone Delegation Wizard.

Select this target object

To apply these permissions

Parent container object for computer accounts

For example:

domain/UNIX/Servers

On the Object tab, select Allow to apply the following permission to this object only:

Create serviceConnectionPoint Objects

Note You can grant this permission to specific users or groups by selecting the Join computers task in the Zone Delegation Wizard.

To join a UNIX computer to an Active Directory domain and place the computer account in a specific organizational unit (OU), the Active Directory account used to join the domain must be set with the following permissions:

Select this target object	To apply these permissions
Parent container object for the computer accounts	On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint Objects Create Computer Objects

Select this target object

To apply these permissions

Parent container object for the computer accounts

On the Object tab, select Allow to apply the following permission to this object only:

Create serviceConnectionPoint Objects
Create Computer Objects

To join a UNIX computer to an Active Directory domain when you are using a predefined computer account, your Active Directory user account must be set with the following permissions:

Select this target object	To apply these permissions
Parent container object for the computer account	On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint Objects
Computer account object in Active Directory For example, if the computer account is AJAX in the default Active Directory Computers container: domain/Computers/AJAX	On the Object tab, select Allow to apply the following permission to this object only: Full Control This permission is required for enabling or disabling a computer account.

Select this target object

To apply these permissions

Parent container object for the computer account

On the Object tab, select Allow to apply the following permission to this object only:

Create serviceConnectionPoint Objects

Computer account object in Active Directory

For example, if the computer account is AJAX in the default Active Directory Computers container:

domain/Computers/AJAX

On the Object tab, select Allow to apply the following permission to this object only:

Full Control

This permission is required for enabling or disabling a computer account.

To remove a UNIX computer from an Active Directory domain, your Active Directory user account must be set with the following permissions:

Select this target object	To apply these permissions
Parent container object for the computer account	On the Object tab, select Allow to apply the following permission to this object only: Delete serviceConnectionPoint Objects If you are deleting a computer account, you also need the Delete Computer Objects permission.

Select this target object

To apply these permissions

Parent container object for the computer account

On the Object tab, select Allow to apply the following permission to this object only:

Delete serviceConnectionPoint Objects

If you are deleting a computer account, you also need the Delete Computer Objects permission.

Note: This setting only gives the user or group permission to leave an Active Directory domain. If you want to grant permission for a user or group to delete a computer account, you also need the Delete Computer Objects permission.