ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Use delegate control to join windows domain

book

Article ID: 240454

calendar_today

Updated On:

Products

ASG-S200

Issue/Introduction

Customer want to join AD , and following KB https://knowledge.broadcom.com/external/article/166420/steps-to-join-a-windows-domain.html and document to join,

But customer manager told us : "We can not approve ProxySG or device using Domain Admin , please contact Broadcom support and giving us the least privilege" 

The customer type is a financial unit and cannot accept any device or user to using Domain Admin, 

 

Environment

Release : 6.7.5.16

Component : Default-Sym

Resolution

As per product document, we need domain admin to join the domain.

If the domain admin is not acceptable, ensure the account has sufficient permission to manage computer objects. 

 

The following tests are on Windows Sever 2022 and SGOS 7.3,

1. Tested delegate control on domain object with "Join a computer to the domain" permission, it's not working,  got access denied error

2. Tested delegate control on "Computers" folder and grant "Full control" on this folder, it worked -- the domain user can join and rejoin the proxySG to the domain, the steps are,

1) create new domain user

2) right click "Computers" folder under the domain, select "Delegate Control..."

3) click Next  > Add the new created domain user > Next 

4) on "Tasks to Delegate" window, select "Create a custom task to delegate"

5) Next > select delegate control for "This folder, existing objects in this folder, and creation of new objects in this folder" > Next

6) on Permissions list, select "Full Control" > Next > Finish

Additional Information

https://knowledge.broadcom.com/external/article/166420/steps-to-join-a-windows-domain.html

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/authentication_co/IWA_configure_st/IWA_Direct_st/Windows_Domain_Join.html

Attachments