Overview

The ENGL documentation recommends that the ENGL build user is made a member of the Domain administrators group, to minimise complexity. However a more restrictive set of rights may be desired.

Procedure


WARNING!Microsoft documentation should be consulted, and changes should be tested in a non-production environment before making any alterations in a Production environment.


  1. On a Domain Controller, start Active Directory Users and Computers

  2. Locate and right-click the Organizational Unit that you want to modify, and then click Delegate Control...
    Note: If Workstation object is moved within AD as part of the build process ensure that the delegation process is carried out on either a high level OU that covers all workstation OU's or repeat the process for each workstation (and Temp workstation) OU. 

  3. At the Welcome to the Delegation of Control Wizard page, click Next.

  4. Click Add to add the ENGL build user to the Selected users and groups list, and then click Next.

  5. In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

  6. Choose Only the following objects in the folder, and then from the list, click to select the Computer objects check box.
    Then, select the check boxes in the list below:

    • Create selected objects in this folder
    • Delete selected objects in this folder
  7. Click Next.

  8. In the Permissions list, Select the General option then click to select the following check boxes:

    • Reset Password
    • Read and write public information
    • Validated write to service principal name
    • Read and write Account Restrictions
    • Validated write to DNS host name
  9. Click Next.
  10. Click Finish.

If you have any problems or questions about the steps in this TID please contact the ENGL support team