When working with deployment tools you need to have an account which can add Computers to a certain Organizational Unit (OU) in Active Directory.
As we all know: do NOT use a ‘Domain Admin’ account for this purpose.
The account used for adding computers to Active Directory will appear unencrypted in the unattend.xml!
So it’s best to create a separate account for joining computers to Active Directory with the least rights as possible.
But what rights does this account need?
Here is an overview:
|Create Computer Objects||This object and all descendant objects|
|Delete Computer Objects||This object and all descendant objects|
|Read All Properties||Descendant Computer Objects|
|Write All Properties||Descendant Computer Objects|
|Read Permissions||Descendant Computer Objects|
|Modify Permissions||Descendant Computer Objects|
|Change Password||Descendant Computer Objects|
|Reset Password||Descendant Computer Objects|
|Validated write to DNS host name||Descendant Computer Objects|
|Validated write to service principal name||Descendant Computer Objects|
And this is how it looks like:
Just be sure to set the rights on the OU where the clients will land during deployment!