Because The join domain account is often visible in your deployment answer file (unattend.xml of sysprep.inf) during the WinPE phase, it is important that this specific account does not have any more permission, than the bare minimum.. I often experience that a domain admin account is used for this job, which is a huge security breach. When i ask why this is, the answer is normally “ we can not find the information on how to create an account with only join domain rights”.
So her is a step by step guide on how to create such an account!
1. Open Active Directory Users and Computers and enable Advanced Features from the view menu
2. Create an account called sccmJD (or what ever you want to call it), and set password to never expire
3. Right click the OU, you want the account to be able to join computer objects to (this could be the to level domain if you would like), and click Properties, open the Security TAB, and click Advanced.
4: Click Add, and add the sccmJD account you just created, and click OK
5: The Permission Entry for “OU” will appear. Make sure To set apply to : This object and all Descendant objects, and set Allow create and delete Computer objects. When done click OK.
6: Repeat step 4 to add the sccmJD account again. Make sure To set apply to : Descendant Computer objects, and set Allow on:
Read All Properties
Write All Properties
Validated write to DNS host name
Validated write to service principal name
When done click OK.
7:Click OK twice to exit the permissions settings.
That should be it..