[Samba] Minimum User Rights For "net ads join"

Thu Sep 15 20:40:08 GMT 2005

I have seen a number of cases where unix/linux administrators do not 
have access to Windows Administrator rights to execute "net ads join". 
Here is the result of testing that I have done to determine what the 
minimum set of user rights is.

Case 1:  Adding the object to the domain and joining the domain with 
"net ads join"

In this case, an ordinary user "member of Domain Users" can add and join 
  by having an Administrator assign the user special rights to the 
Computers container (or equivalent).  This is done by:
     1.  Users and Computers MMC, Advanced Features View
     2.  Right click Computers container and select Properties
     3.  Choose Security tab, add a new user to the container
     4.  Click Advanced, select the new user, click Edit
     5.  Clear all rights, add back only "Create Computer Objects"
     6.  OK to exit out

The user can now add and join the computer object using "net ads join -U 
  username".

Case 2:  Add object using "Users and Computers" MMC, join using "net ads 
join".

This method is required when a custom schema is used and "net ads join" 
cannot find the correct container to add the computer.  Note that 
sometimes the UseraccountControl attribute will populate with a value 
that denies krb5 authentication, and the attribute must be populated 
manually.
     1.  Users and Computers MMC, Advanced Features View
     2.  Add the computer object using the MMC.  Do not select "Windows
         2000 compatible".
     3.  Right click on the new computer object (note that this is
         different from the container in Case 1)and select Properties.
     4.  Click Advanced, then Add, and add the user to Security Settings.
     5.  Highlight the username, then select Edit.
     7.  Select "Full Control" - this will autoselect all Permissions.
     8.  Unselect those that we do not need:
                                             Full Control
                                             Create All Child Objects
                                             Delete All Child Objects
                                             ....(all items thru)
                                             Delete All Shared Folder Ob
     9.  OK to exit out.

The user can now join and modify the existing computer object using "net 
ads join -U username".

Caveats:

1.  "net ads leave -U username" does not work, even with Administrator.
2.  Several other "net ads" commands do not work.
3.  The ntSecurityDescriptor is not correctly processed (ldap.c accounts
     for this and adds the object anyway, and issues a warning)

JT - I have written a user's guide for this process.  Let me know if you 
would like to use it however you see fit.

Eric Roseme
Hewlett-Packard