Create A Dedicated Account To Join Computers To A Domain

Admins often need to automate things, like creating a dedicated account for joining machines to an Active Directory (AD) domain.  This is useful for things like System Center Configuration Manger task sequences and System Center Virtual Machine Manager templates or similar needs.

First create a standard Windows user account.  Next, right-click on the Computers Organization Unit (OU) within your AD domain.  From the menu choose Delegate Control.

On the next screen (Users or Groups) choose Add and select the user account you just created.  Click Next.  Choose “Create a custom task to delegate” on the next screen.

Next, choose to only delegate control to computer objects and tick Create and Delete selected objects in this folder.  Click Next.

On the next screen choose to show general permissions and from the list select:

• Reset password
• Read and write account restrictions
• Validated write to DNS host name
• Validated write to service principal name

Click Next and finish to complete the wizard.  Repeat this process for any other OUs where you’ll be joining computers to the domain.