Guidance on modifying machine account permissions during a domain join
satyaji.deshmuk at nutanix.com
Wed Feb 11 00:59:39 MST 2015
I have a use-case where I need to join a machine/netbios-name to a
domain via 'net ads join' command.
And then, be able to add more Service Principal Names(SPNs) to that
joined machine account in the future.
Currently, as part of the domain join operation, this is the default behavior-
The SELF principal does not have 'write servicePrincipalName'
permission. Due to this, I cannot add new SPNs from the machine that
joined the domain.
To work around this, I need to add the 'write servicePrincipalName'
permission as an administrator via GUI (Security tab on the account).
And then, I am able to add more SPNs to the machine account. But this
requires an extra administrative step.
To avoid the extra step, I believe I need to set the "Write
ServicePrincipalName" on the ACL for the SELF principal on the machine
account, during the domain join.
Would be great if someone could point me to code that I could look at,
to modify the ACL as described above, during domain join.
More information about the samba-technical