6.5 HP StoreAll OS User Guide
Configuring delegated users for an Active Directory domain
If you are adding delegated users to an Active Directory (AD) domain and the DNS host names
do not exceed 15 characters (the NetBIOS limit), the following are the minimum required permissions
that must be assigned to each user or group:
• Create Computer Objects
• Delete Computer Objects
• Read and Write Account Restrictions
• Validated Write to DNS host name
• Validated write to SPN (service principal name)
• Reset Password
NOTE: If the DNS host name exceeds 15 characters, you must also assign the Write All Properties
permission. When the DNS host name exceeds 15 characters, the StoreAll HP-SMB client will not
create a User Principal Name (UPN) with a Common Name (CN) equal to the host name and the
AD object does not match the host name. Therefore, when the StoreAll OS attempts to create the
computer object, the creation is rejected because the computer object does not have sufficient
permissions to write the required object host name property and the AD Domain join fails.
HP recommends that you create a delegation group and add users to this group as needed, instead
of assigning permissions to users directly. Group management is more scalable.
1. Create the group of users for which you want to delegate access/control using the Delegation
of Control Wizard.
2. On the Active Directory Object Type window of the wizard:
1. Select Only the following objects and then select Computer objects.
2. Select the following options:
• Create selected objects in this folder
• Delete selected objects in this folder
3. Click Next.
Configuring delegated users for an Active Directory domain 83