Dsacls delegation commands can be used in AD

Required permissions for computer joining delegation in Active Directory configured with dsacls
 02/04/2021 19:51:12
 Varga Gábor

Granting computer object creation and deletion on the OU

dsacls "<OU DN>" /I:T /G "<group_or_user>:CCDC;computer"

Granting following permission on descendant computer objects:

  • Generic Execute (GE)
  • Delete (SD)
  • Read Property (RP)
  • Write Property (WP)
  • Write Permissions (WD)
  • Reset password (CA;Reset Password)
  • Change password (CA;Change Password)
  • Validate write to DNS host (WS;Validated write to DNS host name)
  • Validate write to service principal name (WS;Validated write to service principal name)
dsacls "<OU DN>" /I:S /G "<user or group>:GESDRPWPWD;;computer" "<user or group>:CA;Reset Password;computer" "<user or group>:CA;Change Password;computer" "<user or group>:WS;Validated write to service principal name;computer" "<user or group>:WS;Validated write to DNS host name;computer"

More details about minimal requirements for computer join to domain: https://jonconwayuk.wordpress.com/2011/10/20/minimum-permissions-required-for-account-to-join-workstations-to-the-domain-during-deployment/