Required permissions for account to join Computer objects to domain

Required permissions for account to join Computer objects to domain

Summary

When a computer account gets moved the last user account is marked as owner. To reset this ownership the join account needs additional rights.

Synopsis

Domain Join will work as long as the computer object was not touched (moved or recreated) from a Domain-Administrator account. Afterward the re-join did not work and the computer account has to be removed before a join works.


Discussion

During the ASetup phase (When Windows gets configured by Columbus and lock-screen is visible) the join to domain writes to log ?2224 Computer Account already exists?. The computer doesn't get rejoined into Active Directory because the old join-data is visible.

When a computer account gets moved the last user account is marked as owner. To reset this ownership the join account needs additional rights.

Please follow these steps:

  1. In order to view the Security tab in Active Directory Users and Computers select ?View Advanced Features? from the view menu:
User-added image

2. Open the security tab of the OU you want to give permissions on ? this can be done at the domain level if required but for security reasons it is possible to limit this to certain parts of Active Directory.

User-added image

3. Select the principal account and apply to all computer objects the following permissions (minimum):
Permission
List contents
Read all properties
Write all properties
Read permissions
Modify permissions
Modify owner
Create Computer objects
Delete Computer objects



Additional Information

Applies to C7

Labels (1)
Was this article helpful? Yes No
No ratings
Version history
Revision #:
1 of 1
Last update:
‎Jan 28, 2019 07:04 PM
Updated by: