If you work as an IT system administrator, you probably have come across this quite often. I don’t know how many times I have seen people be Domain Administrator without there being a more justified reason than “it was easy”.

Follow the steps described in this blog post to mitigate this issue.


This is quite a simple task to do in Windows Server using Delegation of Control.

Here’s how you do it:

1. Open Active Directory Users & Computers

2. Right click the desired domain and select Delegate Control

3. Press Next on the first screen

4. Press Add

Domain join permissions

5. Find the desired user

6. Press OK and then press Next

7. Select Join a computer to a domain

8. Press Next and then Finish


You should never delegate more permissions to the user than what is required. Using the Delegation of Control functionality in Active Directory helps with this task.