Required permissions for account to join Computer objects to domain
SummaryWhen a computer account gets moved the last user account is marked as owner. To reset this ownership the join account needs additional rights.
Domain Join will work as long as the computer object was not touched (moved or recreated) from a Domain-Administrator account. Afterward the re-join did not work and the computer account has to be removed before a join works.
DiscussionDuring the ASetup phase (When Windows gets configured by Columbus and lock-screen is visible) the join to domain writes to log ?2224 Computer Account already exists?. The computer doesn't get rejoined into Active Directory because the old join-data is visible.
When a computer account gets moved the last user account is marked as owner. To reset this ownership the join account needs additional rights.
Please follow these steps:
- In order to view the Security tab in Active Directory Users and Computers select ?View Advanced Features? from the view menu:
2. Open the security tab of the OU you want to give permissions on ? this can be done at the domain level if required but for security reasons it is possible to limit this to certain parts of Active Directory.
3. Select the principal account and apply to all computer objects the following permissions (minimum):
|Read all properties|
|Write all properties|
|Create Computer objects|
|Delete Computer objects|
Applies to C7