Minimum security settings of computer accounts for allowing domain user account to join domain

[Manik]

Sponsored Links

I want to configure the security settings for the computer accounts that only allow domain user to join domain. I have tried to create a dummy account using Active Directory Users and Computers > New Computer Wizard and specified a domain user account in the "The following user or group can join this computer to a domain". The domain account is able to join domain but also can modify the computer name, by simply changing the computer name in the Windows client, the computer account will be modified after restart. Does anyone know what is the minimum security settings of the computer account object so that the domain account can only have join domain priviledge and nothing else? Thanks.

[agarwalm11]

I usually dont like to use the Delegation Wizard for many reasons, the same thing can be also done using the Security tab in the Properties of the OU containing the computer accounts. I also do not understand which Properties a user needs to be able to Write to join a computer to a domain, but I do know that atleast some of them are written during the join operation, if I leave out the "Write All Properties", users cannot join the computer to the domain because a subset will work but I dont know which ones. Follow the below for instance:

1. First of all, in the Security tab, click Advanced.
2. After that click Add.
3. Now you need to key the name of the user or group you want to grant the permissions to; click OK
4. After that from the Apply onto: box, select Computer Objects
5. Now you can add check marks in the Allow column in these rows:
   Write All Properties (or select the Properties tab to grant Write to only those that are required)
   Reset Password
   Validate write to DNS host name
   Validate write to service principal name