When working with deployment tools you need to have an account which can add Computers to a certain Organizational Unit (OU) in Active Directory.
As we all know: do NOT use a ‘Domain Admin’ account for this purpose.
The account used for adding computers to Active Directory will appear unencrypted in the unattend.xml!
So it’s best to create a separate account for joining computers to Active Directory with the least rights as possible.
But what rights does this account need?
Here is an overview:
| Permission | Apply to |
| Create Computer Objects | This object and all descendant objects |
| Delete Computer Objects | This object and all descendant objects |
| Read All Properties | Descendant Computer Objects |
| Write All Properties | Descendant Computer Objects |
| Read Permissions | Descendant Computer Objects |
| Modify Permissions | Descendant Computer Objects |
| Change Password | Descendant Computer Objects |
| Reset Password | Descendant Computer Objects |
| Validated write to DNS host name | Descendant Computer Objects |
| Validated write to service principal name | Descendant Computer Objects |
And this is how it looks like:
Just be sure to set the rights on the OU where the clients will land during deployment!