Tintri Knowledge Base > 002 Knowledge Article Database > Joining Tintri Global Center (TGC) to a Microsoft Active Directory by a Non-administrative user

Joining Tintri Global Center (TGC) to a Microsoft Active Directory by a Non-administrative user

Applies To


Product(s): Tintri Global Center (TGC)

Product Version(s): or later



This article describes the procedure to join Tintri Global Center (TGC) to Microsoft Active Directory® by delegating permissions in the Active Directory by a non-administrative user account.

This procedure is required only when the user account used for the domain join does not have sufficient privileges on the domain or on the specific Organizational Unit (OU) within the domain where the Tintri Global Center will be joined.


Joining a TGC into an Active Directory domain fails with the following error message: 


Use the Active Directory Delegate Control Wizard to delegate required access rights for the user account on the default computer OU or on specific OU in the domain.

  1. Launch Active Directory Users and Computers MMC snap-in and connect to the domain to which TGC will be joined.
  2. Navigate to the OU (or default computers OU) where TGC is placed.
  3. Right-click on the OU and select Delegate Control. 
  4. Click Next
  5. Click Add to select and add the user or group. A group can be used as long as the domain join user is a member of that group.

    • ​​​Click Add

    • Select and add the user or group.  Click Next. 

  6. Select Create a custom task to delegate and click Next. 
  7. Select Only the following objects in the folder and select Computer objects.  Select the following and then click Next:

    • Create selected objects in this folder 
    • Delete selected objects in this folder
  8. Select General and Property-specific

  9. From the Permissions list select the following (shown in the following three screenshots):

    • Change password

    • Reset password

    • Read and write account restrictions

    • Validated write to DNS host name

    • Validated write to service principal name

    • Read userPrincipalName

    • Write userPrincipalName 

  10. Click Next and verify the summary. 

  11. Click Finish to perform this operation.
  12.  Retry the domain join.


Last modified



This page has no classifications.