Friday, October 30, 2009

Domain Join Account – Minimum Rights

This falls under another one of those items that I have had in my private notes for a while, but can’t remember where I found it. When setting up the account in a ConfigMgr Task Sequence to join the new computer account to the domain, you must give that account rights in order for it to work. It is essentially a service account, so it should only be given the bare minimum rights. What are those rights? You can “Delegate Control” on the OU to the account and only give it “Allow” for the following:

Permission
Apply To
Reset Password
Computer Objects
Validated write to DNS host name
Computer Objects
Validated write to service principal name
Computer Objects
Read/Write Account Restrictions
Computer Objects
Create/Delete Computer Objects
This object and all descendant objects
Hopefully this will help others…and it will make it easier for me to quickly locate the next time I need to set it!