An AD Service account is needed for joining a computer to a domain during an unattended OS installation. The service account password will often be in clear text in the unattend.xml file, it should therefore only be granted the absolute minimum of permissions.
1. Create a new user account that will be used for Joining computers to the domain, in this case I will call it SVC-JoinDomain
2. Open properties on the OU where computers will be joined to. Go to the security tab and click the Advanced button. Then click Add.
Note: If a computer object already exist in AD the service account must be granted access to the OU where the computer is located.
3. Enter the service account name and click OK
4. In the apply to dropdown make sure that â€œThis object and all decendant objectsâ€ is selected
select the following permissions:
Read All Properties
Write All Properties
Create Computer Object (NOTE: NOT SHOWN IN SCREENDUMP)
Delete Computer Object (NOTE: NOT SHOWN IN SCREENDUMP)
5. Change the apply to drop down to â€œDecendant computer objectsâ€
Select the following Permissions:
Validated write to DNS host name
Validated write to service principal name