question

liuwei-cesm avatar image
0 Votes"
liuwei-cesm asked amanpreetsingh-msft answered

what domain user role to add user account

HI,

I assigned a user as domain admin. Found it have not permission to approval a computer join domain or exit domain.

could you advice which role for this level?

brgds
Liu Wei

azure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered

Hi @liuwei-cesm • Thank you for reaching out.

  • Any user who is a member of the Managed (Azure AD Domain Services) Domain, can join a computer to the domain (as documented in step 5 under Join the VM to the managed domain). You need to make sure that the account you are using is either synchronized with an on-premises directory or a cloud-only user. You cannot use Guest user account to join the Managed Domain in Azure. Also, make sure the password reset for the user account is done so that the Password Hash is synced from Azure AD to Azure AD Domain Service.

  • If you are using Local AD (On-premises Active Directory Domain Services), any domain user can join computer to the domain unless you have applied below Group Policy with specific users/groups.

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Expand User Rights Assignment > Add workstations to Domain

If this group policy is configured, only users/groups added to this policy can join the computer to the domain.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.