KB40401 - What permissions are needed on the service account used within PCS/PPS Active Directory standard mode authentication server and how to set it up using Delegate Control Wizard

When configuring an Active Directory Authentication Server instance (Standard mode) on a PCS/PPS device, the administrator must specify a service account that is used by the device to perform a join domain operation. In case full domain administrator level service account cannot be permitted, then this article specifies the minimum permissions that should be enabled on this service account. It also provides an example of how to set it up on Windows Server 2016 using Delegate Control Wizard.

Note: This article does not apply to the Legacy Mode of Active Directory Authentication server on PCS/PPS devices (Legacy mode has been deprecated. For details refer KB40251)

Example using Windows Server 2016

1. First identify the user account that needs to be provided with delegated privileges, then login to AD domain, right click on the computers folder.
2. Select Delegate Control > Next

  

 

3. In the Enter the object names to select, add the account.

4. Click Next

5. Select Create a custom task to delegate
6. Click Next

8. Select the radio button for Only the following objects in this folder and select the following options:

• Create selected objects in this folder
• Delete selected objects in this folder
• Computer objects

9. Click Next

10. Select the following checkboxes for:

• General
• Property-specific
• Creation/deletion of specific child objects” along with the ones specified below.

• Write
• Write All Properties
• Change Password
• Reset Password
• Validate Write to DNS host name
• Read and write DNS host name attributes

11. Click Next
12. Click Finish