Hello,
Currently there is no built-in functionality for that, but you can accomplish your task with a PowerShell script. To do this, you need to create a Business Rule that will be launched after creating a computer account and that will set the group who can join a computer to a domain with the help of a Run a program or PowerShell script action and a script. To create such a Business Rule:
-
Create a new Business Rule.
-
On the 2nd step of the Create Business Rule wizard, select Computer and After Creating a Computer.
-
On the 3rd step, add the Run a program or PowerShell script action and paste the following script in the Script field:
$groupName = "My Group" # TODO: modify me
Import-Module Adaxes
$group = Get-AdmGroup $groupName -Server $Context.GetObjectDomain("%distinguishedName%")
if ($group -eq $NULL)
{
$Context.LogMessage("Group $groupName was not found!", "Error")
return
}
$Context.TargetObject.Put("adm-UserOrGroupThatCanJoinComputerToDomain", $group.SID.ToString())
$Context.TargetObject.SetInfo()
-
In the script, $groupName specifies the name of the group, members of which will be able to join the computer to a domain. Specify the name of the necessary group.
-
Enter a short description for the script and click OK.
-
Finish creation of the Business Rule.
That should do the job for now. Starting from our next version (Adaxes 2013.1) we'll add the functionality to set the user or group who can join a computer to a domain with a Business Rule action, and you won't need the script to do this.