Skip to content

Delegate rights for adding and removing virtual machines in an AD domain

To clone a VM and join it to the Active Directory (AD) domain, the user needs specific permissions in the AD Organizational Unit (OU) where the computer accounts reside. Complete control or full admin rights are optional.

Here are the critical permissions required:

  1. Create Computer Objects: Allows the user to create new computer accounts in the OU.

  2. Delete Computer Objects: Allows the user to delete computer accounts in the OU.

  3. Read: Basic read permissions on the OU and the computer objects.

  4. Write: Basic write permissions on the computer objects, including properties like DNS name, servicePrincipalName, etc.

To Add or Remove any VM

To add or remove any VM from a domain with a non-admin user, follow the steps below for a particular Organizational Unit (OU) to delegate rights to a user.

  1. Right-click on OU and click on Delegate control.

  2. Click on Add and search for a user.

  3. Click on Next and select Create a custom task to delegate.

  4. Select Only the following objects in the folder option.

  5. Select Computer Object and click on Next.

    image-20241120135611462

  6. In the Permissions section, select General and provide below permissions:

  7. Read

  8. Write

  9. Create All Child Objects

  10. Delete Child Objects

  11. Write All Properties

image-20241120135559289

  1. Click Next. Review the changes and Save them.

This completes the rights delegation.