Because The join domain account is often visible in your deployment answer file (unattend.xml of sysprep.inf) during the WinPE phase, it is important that this specific account does not have any more permission, than the bare minimum.. I often experience that a domain admin account is used for this job, which is a huge security breach. When i ask why this is, the answer is normally “ we can not find the information on how to create an account with only join domain rights”.

So her is a step by step guide on how to create such an account!


1. Open Active Directory Users and Computers and enable Advanced Features from the view menu


2. Create an account called sccmJD (or what ever you want to call it), and set password to never expire

3. Right click the OU, you want the account to be able to join computer objects to (this could be the to level domain if you would like), and  click Properties, open the Security TAB, and click Advanced.


4: Click Add, and add the sccmJD account you just created, and click OK


5: The Permission Entry for “OU” will appear. Make sure To set apply to : This object and all Descendant objects, and set Allow create and delete Computer objects. When done click OK.


6: Repeat step 4 to add the sccmJD account again. Make sure To set apply to : Descendant Computer objects, and set Allow on:

Read All Properties

Write All Properties

Read Permissions

Modify Permissions

Change Password

Reset Password

Validated write to DNS host name

Validated write to service principal name

When done click OK.





7:Click OK twice to exit the permissions settings.

That should be it..