I?ve spent a lot of time working on this. There?s no workaround that actually
works.
The machine account must me deleted and recreated by the new user. I use a
generic user to own these new account so I keep it even if the employee adding
machines leaves.
LP
On 6 Nov 2024 at 10:37 +0000, Francesco Malvezzi via samba <samba at
lists.samba.org>, wrote:> Hi everybody,
>
> since a couple of years, user X can't join a computer to AD if the
> computer object has been created by user Y.
>
> It is KB5020276?Netjoin: Domain join hardening changes [1].
>
> The documentation suggests a workaround, basically a group policy
> applied to all the domain controllers.
>
> Is it that possibile to apply group policies to a samba DC?
>
> The group policy I'm talking about requires a 2012R2 schema, but before
> raising the schema I would like to understand if it could possibly work ;)
>
> thank you so much,
>
> Francesco
>
> [1]
>
https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba