Grant create computer object permissions to the cluster

This post is part of the Failover Cluster Checklist series.

 

The Failover Cluster computer object needs to be granted the appropriate permissions necessary to create cluster resource objects (computers). Some resource objects can be staged, others cannot be staged. This depends on the OS version and resource type. The easiest solution is to place each cluster in a separate OU, and give the cluster permissions to create objects in that OU only.

How to do it

  • If necessary, create a new OU and move all cluster nodes and cluster resource objects to the new OU.
  • Enable view advanced features in ADUaC.

clip_image001

  • Open the Advanced Security Settings for the OU.

clip_image002

  • Add the cluster name machine object, and grant the Create Computer objects permission.

clip_image003

  • Make sure the cluster machine Object has been granted the Read all Properties permission.
    image

Author: DizzyBadger

SQL Server DBA, Cluster expert, Principal Analyst

7 thoughts on “Grant create computer object permissions to the cluster”

    1. Yes, using get-acl and set-acl you can script this in powershell. That being said, I find it best to do it in ADUaC to make sure it is applied correctly.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.