The Realm of the Verbal Processor

Jarvis's Ramblings

Domain Join Account – Minimum Rights

This falls under another one of those items that I have had in my private notes for a while, but can’t remember where I found it. When setting up the account in a ConfigMgr Task Sequence to join the new computer account to the domain, you must give that account rights in order for it to work. It is essentially a service account, so it should only be given the bare minimum rights. What are those rights? You can “Delegate Control” on the OU to the account and only give it “Allow” for the following:

Permission Apply To
Reset Password Computer Objects
Validated write to DNS host name Computer Objects
Validated write to service principal name Computer Objects
Read/Write Account Restrictions Computer Objects
Create/Delete Computer Objects This object and all descendant objects

Hopefully this will help others…and it will make it easier for me to quickly locate the next time I need to set it!

Advertisements

March 31, 2009 - Posted by | ConfigMgr

1 Comment »

  1. […] Domain Join Account – Minimum Rights […]

    Pingback by MDT 2013 – Configuring your environment for Bitlocker deployments with TPM, Windows 8.1 and MDT 2013 | renshollanders.nl | January 23, 2014


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s