Home > Tintri VMstore™ > Knowledge Base > Joining Tintri VMstore to a Microsoft Active Directory by a Non-administrative User

Joining Tintri VMstore to a Microsoft Active Directory by a Non-administrative User

Applies To

 

Product(s): Tintri OS

Product Version(s): 3.1.0.1 or later

Introduction

 

This article describes the procedure to join Tintri VMstore to Microsoft Active Directory® by delegating permissions in the Active Directory by a non-administrative user account.

This procedure is required only when the user account used for the domain join does not have sufficient privileges on the domain or on the specific Organizational Unit (OU) within the domain where VMstore will be joined.

Details

 Joining VMstore into an Active Directory domain fails with the following error message:

How-To

Use the Active Directory Delegate Control Wizard to delegate required access rights for the user account on the default computer OU or on specific OU in the domain.

 

  1. Launch the Active Directory Users and Computers MMC snap-in and connect to the domain to which VMstore will be joined.
  2. Navigate to the OU (or default Computers OU) where VMstore is placed.
  3. Right-click on the OU and select Delegate Control.
  4. Click Next:

  5. Click Add to select and add the user or group. A group can be used as long as the domain join user is a member of that group.

    • ​Click Add.

    • Select and add the user or group.  Click Next. 

  6. Select Create a custom task to delegate and click Next.  

  7. Select Only the following objects in the folder and select Computer objects.  Select the following and then click Next:

    • Create selected objects in this folder 
    • Delete selected objects in this folder.  
  8. ​Select General and Property-specific
  9. From the Permissions list select the following (shown in the following three screenshots):

    • Change password

    • Reset password

    • Read and write account restrictions

    • Validated write to DNS host name

    • Validated write to service principal name

    • Read userPrincipalName

    • Write userPrincipalName

  10. Click Next and verify the summary.  

  11. Click Finish to perform this operation.

  12. Retry the domain join.

 

 

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.