This article explains the permissions required for a non-administrator, delegated domain user service account used to join an Azure Files share to an Active Directory domain. If these permissions are not correct, you will receive an error during the domain join step - example errors may include (but not limited to) 'Access is denied' or 'A required privilege is not held by the client'.
This does NOT apply for Azure Active Directory Domain Services (AAD DS) environments - AAD DS environments only need the feature enabled (choosing Azure AD DS in Nerdio under the 'Join to AD' selector), and do not need to join the domain as a specialty service account.
Note: For ease of deployment, you can instead use a domain administrator or temporarily elevate the delegated service account to domain administrator rights.
A domain admin account is sufficient to join the Azure Files share to your domain; however if you are using a service account and delegating specific permissions to that account, the "Add/Remove computer accounts" delegated permissions used for AVD session hosts will not be sufficient to add Azure Files shares.
Azure Files joins the domain as a delegated service principal user object. In order to join the Azure Files storage account to the domain, the provided service account will require permissions on the target Organizational Unit (OU) that allows creating & writing new user objects - additionally, the service account will also require permission to set the Azure Files logon account as delegated service (by default, this privilege is only provided to AD domain administrator users).
Delegating Permission for creating user objects
Steps for delegating permission to create & write user objects using Active Directory Users & Computers (ADUC, or dsa.msc):
Select the OU where Azure Files will be joined, right-click and choose Delegate Control:
- Add the service user account to be used for joining Azure Files to the domain:
- Delegate permissions to Create, delete, and manage user accounts:
- Select Finish to apply
Delegating permission to create delegated users
Steps for allowing the service user account used for joining Azure Files to the domain to mark the new object for Azure Files as a delegated service - this requires modifying the Default Domain Controllers group policy object in Group Policy Management (gpmc.msc):
- Right-click on Default Domain Controllers Policy, select Edit.
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment, and modify the Enable computer and user accounts to be trusted for delegation setting.
- Add the service user account name being used for joining Azure Files to the domain:
- Close and run gpupdate /force on all domain controllers. The policy change may take several minutes to apply after gpupdate completes.
Adding service account in Nerdio
Provide the service account under AD Profiles within Nerdio, under Settings > Integrations:
Select this new profile when creating the Azure Files storage account under the Join to AD selection: