When working with deployment tools you need to have an account which can add Computers to a certain Organizational Unit (OU) in Active Directory.
As we all know: do NOT use a ‘Domain Admin’ account for this purpose.
The account used for adding computers to Active Directory will appear unencrypted in the unattend.xml!
So it’s best to create a separate account for joining computers to Active Directory with the least rights as possible.
But what rights does this account need?
Here is an overview:
| Permission | Apply to |
| Create Computer Objects | This object and all descendant objects |
| Delete Computer Objects | This object and all descendant objects |
| Read All Properties | Descendant Computer Objects |
| Write All Properties | Descendant Computer Objects |
| Read Permissions | Descendant Computer Objects |
| Modify Permissions | Descendant Computer Objects |
| Change Password | Descendant Computer Objects |
| Reset Password | Descendant Computer Objects |
| Validated write to DNS host name | Descendant Computer Objects |
| Validated write to service principal name | Descendant Computer Objects |
And this is how it looks like:
Just be sure to set the rights on the OU where the clients will land during deployment!
Pingback: Domain-Join Account for SCCM and MDT « MS Tech BLOG
Hi Stephan,
great article. Thx! 🙂
Pingback: Write to OU permissions in Active Directory | DBA Checklist
Pingback: MDT 2013 – Configuring your environment for Bitlocker deployments with TPM, Windows 8.1 and MDT 2013 – renshollanders.nl
Silly follow up question.
Should we hit the clear all button under both tabs (objects, properties) and then end with 2 new entries listed that included the above items?
I ask since under windows 10 it lists objects and properties together on a single tab and had several items checked by default under the properties section. I decided i should clear all and enter only the above as suggested.
the downside is instead of having only 2 new permission entries with my domainjoin account I have several most are marked special and I’m wondering if doing this in windows 10 caused any issues.
I went ahead and redid this and confirmed that your left with 6 total new permission entries. 5 special and 1 create/delete computer objects. they looked identical as the ones created from the win10 ad tools.
Hi Rob,
Thanks for the heads-up!
I will also look into this later.
/Stephan
Pingback: AD délégation pour joindre une machine dans le domaine | Ressources informatiques