Configuring the Active Directory Domain Join Account

  • Published on Jul 16, 2024
  • 3 minute(s) read
  • d

The Active Directory (AD) Domain Join Account is a service account required by Workspot to enable Cloud Desktops and servers to join the local domain and have policy applied. This account requires some specific permissions to enable it to perform this action, the use of a Domain Administrator account is not recommended and is considered a bad security practice.

Prerequisites

  1. Create a normal domain user account with a strong password

  2. Set the Service Account password to Never Expire

  3. The Organizational Units (OUs) that you intend to contain the Workspot Cloud Desktops and the Workspot servers must already be created

Setting Permissions For The Service Account 

The permissions for the service account need to be set at the correct point in the AD hierarchy. We recommend that the permissions are applied to each of the individual OUs you intend to use with Workspot. Eg. The Workspot Cloud Desktops OU and the Workspot Servers OU.

The permissions also require two different scopes. The first set are applied to “This object and all descendant objects”, and the second set are applied to “Descendent Computer objects”.

The effective permissions and scopes delegated to each OU for the Service Account are as follows:

  • Create Computer Objects - This object and all descendant objects

  • Delete Computer Objects - This object and all descendant objects

  • Read All Properties - Descendant Computer Objects

  • Write All Properties - Descendant Computer Objects

  • Read Permissions - Descendant Computer Objects

  • Modify Permissions - Descendant Computer Objects

  • Change Password - Descendant Computer Objects

  • Reset Password - Descendant Computer Objects

  • Validated write to DNS host name - Descendant Computer Objects

  • Validated write to service principal name - Descendant Computer Objects

There are two different methods to apply the permissions, one via the command line, and one via Active Directory Users and Computers.

Using Active Directory Users and Computers

The method to add the permissions in Active Directory Users and Computers (ADUC) is to manually grant each permission on the required OU using the Advanced Security Settings dialog.

  1. Open ADUC with a user that has permissions to delegate control. We recommend this is done by your Domain Administrator.

  2. Be sure that you are viewing ADUC with Advanced Features turned on: View > Advanced Features

  3. Right Click the OU you are setting permissions for and select Properties

  4. From the Properties page, click the “Security” tab and then the “Advanced” button

  5. Click “Add”

  6. Use the “Select principal” link to select the newly created Service Account

  7. From the “Applies to” dropdown, select “This object and all descendant objects”

  8. Under Permissions, check the two boxes for “Create Computer Objects” and “Delete Computer Objects”

  9. Click OK to save the changes

  10. Repeat steps 3-6 above

  11. From the “Applies to” dropdown, select “Descendent Computer objects”

  12. Under Permissions, check the boxes for:

    1. List Contents

    2. Read all properties

    3. Write all properties

    4. Read permissions

    5. Modify permissions

    6. Change password

    7. Reset password

    8. Validated write to DNS host name

    9. Validated write to service principal name

  13. Click OK to save the changes

Using Dscals

Dsacls is a command line tool from Microsoft that is installed as part of the Active Directory Domain Services Role, or the RSAT toolset for Active Directory. To run Dsacls, you need to open an administrative command prompt and have the appropriate privileges within Active Directory. We recommend running these commands as a Domain Administrator. In the example commands below, the following is true:

  • The domain is example.com

  • The target OU for the permissions is OU=WorkspotCloudDesktops,DC=example,DC=com

  • The Domain Join Service Account is svc-wkspt-djoin

  1. Open Command Prompt with “Run as Administrator” option

  2. Grant rights to create and delete Computer objects

    • dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:CCDC;Computer” /I:T

  3. Grant rights to list Computer objects

    • dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:LC;;Computer” /I:S

  4. Grant rights to read security information from Computer objects

    • dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:RC;;Computer” /I:S

  5. Grant rights to modify security information on Computer objects

    • dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:WD;;Computer” /I:S

  6. Grant rights to read properties of Computer objects

    • dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:RP;;Computer” /I:S

  7. Grant rights to write properties to Computer objects

    • dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:WP;;Computer” /I:S

  8. Grant rights to reset password of Computer objects

    • dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:CA;Reset Password;Computer” /I:S

  9. Grant rights to change password of Computer objects

    • dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:CA;Change Password;Computer” /I:S

  10. Grant rights to write SPN of Computer objects

    • dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:WS;Validated write to service principal name;Computer” /I:S

  11. Grant rights to wite DNS Host name of Computer objects

    • dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:WS;Validated write to DNS host name;Computer” /I:S

For more information on Dsacls see: https://technet.microsoft.com/en-us/library/cc771151.aspx