Creating a domain-join account

I just got the question on what rights the domain join account needs. So here it is.

First of all you need to create an account for it in this example I named min svc-sccm-domainjoin and then locate the OU where your computer accounts will reside in. And then right click on it and set the security rights.

First you need to set the following rights on the OU and with the setting Apply to: This object and all descendant objects.

• Create Computer Object
• Delete Computer Object

After that you need to add the following rights with the setting apply to: Descendant Computer objects.

• Read All Properties
• Write All Properties
• Read Permissions
• Modify Permissions

• Change Password
• Reset Password
• Validated write to DNS host name
• Validated write to service princ