Domain Join Account – Minimum Rights
This falls under another one of those items that I have had in my private notes for a while, but can’t remember where I found it. When setting up the account in a ConfigMgr Task Sequence to join the new computer account to the domain, you must give that account rights in order for it to work. It is essentially a service account, so it should only be given the bare minimum rights. What are those rights? You can “Delegate Control” on the OU to the account and only give it “Allow” for the following:
|Reset Password||Computer Objects|
|Validated write to DNS host name||Computer Objects|
|Validated write to service principal name||Computer Objects|
|Read/Write Account Restrictions||Computer Objects|
|Create/Delete Computer Objects||This object and all descendant objects|
Hopefully this will help others…and it will make it easier for me to quickly locate the next time I need to set it!