Join Domain Permissions

An AD Service account is needed for joining a computer to a domain during an unattended OS installation. The service account password will often be in clear text in the unattend.xml file, it should therefore only be granted the absolute minimum of permissions.

1. Create a new user account that will be used for Joining computers to the domain, in this case I will call it SVC-JoinDomain

2. Open properties on the OU where computers will be joined to. Go to the security tab and click the Advanced button. Then click Add.

Note: If a computer object already exist in AD the service account must be granted access to the OU where the computer is located.

3. Enter the service account name and click OK

4. In the apply to dropdown make sure that “This object and all decendant objects” is selected

select the following permissions:
Read All Properties

Write All Properties

Read Permissions

Modify Permissions

Create Computer Object (NOTE: NOT SHOWN IN SCREENDUMP)

Delete Computer Object (NOTE: NOT SHOWN IN SCREENDUMP)

5. Change the apply to drop down to “Decendant computer objects”

Select the following Permissions:
Change Password

Reset Password

Validated write to DNS host name

Validated write to service principal name

This entry was posted in Operating System Deployment. Bookmark the permalink.