The Realm of the Verbal Processor

Jarvis's Ramblings

Domain Join Account – Minimum Rights

This falls under another one of those items that I have had in my private notes for a while, but can’t remember where I found it. When setting up the account in a ConfigMgr Task Sequence to join the new computer account to the domain, you must give that account rights in order for it to work. It is essentially a service account, so it should only be given the bare minimum rights. What are those rights? You can “Delegate Control” on the OU to the account and only give it “Allow” for the following:

Permission Apply To
Reset Password Computer Objects
Validated write to DNS host name Computer Objects
Validated write to service principal name Computer Objects
Read/Write Account Restrictions Computer Objects
Create/Delete Computer Objects This object and all descendant objects

Hopefully this will help others…and it will make it easier for me to quickly locate the next time I need to set it!


March 31, 2009 - Posted by | ConfigMgr

1 Comment »

  1. […] Domain Join Account – Minimum Rights […]

    Pingback by MDT 2013 – Configuring your environment for Bitlocker deployments with TPM, Windows 8.1 and MDT 2013 | | January 23, 2014

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: