Use delegate control to join windows domain
Article ID: 240454
Updated On:
Products
Issue/Introduction
Customer want to join AD , and following KB https://knowledge.broadcom.com/external/article/166420/steps-to-join-a-windows-domain.html and document to join,
But customer manager told us : "We can not approve ProxySG or device using Domain Admin , please contact Broadcom support and giving us the least privilege"
The customer type is a financial unit and cannot accept any device or user to using Domain Admin,
Environment
Release : 6.7.5.16
Component : Default-Sym
Resolution
As per product document, we need domain admin to join the domain.
If the domain admin is not acceptable, ensure the account has sufficient permission to manage computer objects.
The following tests are on Windows Sever 2022 and SGOS 7.3,
1. Tested delegate control on domain object with "Join a computer to the domain" permission, it's not working, got access denied error
2. Tested delegate control on "Computers" folder and grant "Full control" on this folder, it worked -- the domain user can join and rejoin the proxySG to the domain, the steps are,
1) create new domain user
2) right click "Computers" folder under the domain, select "Delegate Control..."
3) click Next > Add the new created domain user > Next
4) on "Tasks to Delegate" window, select "Create a custom task to delegate"
5) Next > select delegate control for "This folder, existing objects in this folder, and creation of new objects in this folder" > Next
6) on Permissions list, select "Full Control" > Next > Finish
Additional Information
https://knowledge.broadcom.com/external/article/166420/steps-to-join-a-windows-domain.html
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/authentication_co/IWA_configure_st/IWA_Direct_st/Windows_Domain_Join.html
Attachments
Feedback
