Creating a JoinDomain account for use with SCCM OSD

Because The join domain account is often visible in your deployment answer file (unattend.xml of sysprep.inf) during the WinPE phase, it is important that this specific account does not have any more permission, than the bare minimum.. I often experience that a domain admin account is used for this job, which is a huge security breach. When i ask why this is, the answer is normally “ we can not find the information on how to create an account with only join domain rights”.

So her is a step by step guide on how to create such an account!

 

1. Open Active Directory Users and Computers and enable Advanced Features from the view menu

image

2. Create an account called sccmJD (or what ever you want to call it), and set password to never expire

3. Right click the OU, you want the account to be able to join computer objects to (this could be the to level domain if you would like), and  click Properties, open the Security TAB, and click Advanced.

image 

4: Click Add, and add the sccmJD account you just created, and click OK

 image

5: The Permission Entry for “OU” will appear. Make sure To set apply to : This object and all Descendant objects, and set Allow create and delete Computer objects. When done click OK.

image

6: Repeat step 4 to add the sccmJD account again. Make sure To set apply to : Descendant Computer objects, and set Allow on:

Read All Properties

Write All Properties

Read Permissions

Modify Permissions

Change Password

Reset Password

Validated write to DNS host name

Validated write to service principal name

When done click OK.

image

 

 

image

7:Click OK twice to exit the permissions settings.

That should be it..

By | 2010-09-16T08:51:26+00:00 September 16th, 2010|Configuration Manager (SCCM), OS Deployment|13 Comments

About the Author:

Michael Petersen
Twitter: @OSDeployLinkedin: Michael PetersenMicrosoft Community Contributor

13 Comments

  1. […] […]

  2. […] http://blog.coretech.dk/mip/creating-a-joindomain-account-for-use-with-sccm-osd/ This entry was posted in System Center Configuration Manager. Bookmark the permalink. ← IIS – The HTTP headers are already written to the client browser. SCOM 2012 – Generate Alert from Log file → […]

  3. Bill August 18, 2014 at 9:15 - Reply

    If this is truly my solution, thank you!! We’ve been using my Admin account, which due to separation of duties, does not have the proper permissions to reuse accounts. Create, delete, rename – yes, but not all of the attributes necessary to reuse. We really were hoping not to have to delete all of the existing AD attributes.

  4. […] Coretech Blog » Blog Archive » Creating a JoinDomain account for use with SCCM OSD m.rasti [@] outlook.com پاسخ با نقل قول […]

  5. Parham September 30, 2014 at 11:55 - Reply

    در زیر تنظیمات مربوط به ساخت اکانتی جهت اتصال (Join) کامپیوترها به دامین توضیح داده شده است.

    اکانت مربوطه فقط قابلیت اتصال دستگاهها به دامین را دارا بوده و هیچگونه دسترسی دیگری حتی ورود به دامین را دارا نمیباشد.

  6. Parham September 30, 2014 at 11:56 - Reply

    در زیر تنظیمات مربوط به ساخت اکانتی جهت اتصال (Join) کامپیوترها به دامین توضیح داده شده است.

    اکانت مربوطه فقط قابلیت اتصال دستگاهها به دامین را دارا بوده و هیچگونه دسترسی دیگری حتی ورود به دامین را دارا نمیباشد.

    1. Open Active Directory Users and Computers and enable Advanced Features from the view menu

  7. TDA October 6, 2014 at 10:07 - Reply

    On 2012? I cannot find:

    Change Password

    Reset Password

    Validated write to DNS host name

    Validated write to service principal name

    • Binary January 17, 2015 at 1:48 - Reply

      @TDA

      It’s there in 2012.

      Probably you forgot to change “Applies to: Descendant computer objects”

  8. Tin Nhan Chuc Tet January 13, 2016 at 15:00 - Reply

    I quite like reading a post that will make people think.

    Also, thank you for allowing me to comment!

  9. Caren February 1, 2016 at 12:04 - Reply

    Hi! I could have sworn I’ve visited this web site before but after browsing through some of the articles I realized it’s new to me.
    Anyhow, I’m definitely pleased I discovered it and I’ll
    be book-marking it and checking back regularly!

  10. […] Which permissions are required at a minimum is already very well covered in this blog article: http://blog.coretech.dk/mip/creating-a-joindomain-account-for-use-with-sccm-osd/ […]

  11. Brachus February 27, 2017 at 16:21 - Reply

    If you could remake or revise these instructions with screencaps from Server 2012R2, since it looks so much different, it would be extremely helpful.

  12. Brachus February 27, 2017 at 16:27 - Reply

    Or Windows 10 even since it adds several permissions by default under Advanced

Leave A Comment