This post is part of the Failover Cluster Checklist series.
The Failover Cluster computer object needs to be granted the appropriate permissions necessary to create cluster resource objects (computers). Some resource objects can be staged, others cannot be staged. This depends on the OS version and resource type. The easiest solution is to place each cluster in a separate OU, and give the cluster permissions to create objects in that OU only.
How to do it
- If necessary, create a new OU and move all cluster nodes and cluster resource objects to the new OU.
- Enable view advanced features in ADUaC.
- Open the Advanced Security Settings for the OU.
- Add the cluster name machine object, and grant the Create Computer objects permission.
- Make sure the cluster machine Object has been granted the Read all Properties permission.
can we grant same permission with powershell
Yes, using get-acl and set-acl you can script this in powershell. That being said, I find it best to do it in ADUaC to make sure it is applied correctly.