![]() Step-by-Step: Set Permissions For The Service Account Confirm “Password Never Expires” is checked and “Account expires” is set to “NEVER”. If creating a NEW domain join service account make sure to set “Password never expires” and UN-CHECK “User must change password at next logon. Pay special attention to the specifics below. Requires setting 2 different “ Applies To” scopes for “ This object and all descendant objects” and “ Descendant Computer Objects” or the service account join process will fail. ![]() Create OU(s) where you intend to automatically join systems to and plan to set permissions on these OUs – better yet the parent OU if you have several child OUs.See older pics later in this article for Server 2012. Note: If using Server 2012 Domain Functional Level, the screens will look slightly different on the permissions page.Applies to Server 2019 or Server 2016 Domain Controllers.Set the service account password to “PASSWORD NEVER EXPIRES”.Set the password to a strong password that includes upper/lower case, symbols, etc.Create a standard user domain account (new accounts are better to ensure they’re not used by anything else but the auto domain join process).Legacy: Server 2012 functional domain Look and Feel.Step-by-Step: Set Permissions For The Service Account.For these reasons and more, the least privilege account approach should always be used instead. Also, domain admin accounts usually have access to many other Windows resources within the Active Directory domain. IMPORTANT NOTE: It is not a security best practice to use a DOMAIN ADMIN account for joining systems to the domain as this is a domain-wide account with access to every server and computer typically. This article outlines the proper permissions you need to set to for an Active Directory domain join service account for use during the Windows OS deployment task sequence. In some cases, customers are using a DOMAIN ADMIN account which is a bad security best practice. Often, when working with customers I see that their Active Directory domain join service account permissions are incorrectly configured. Typically, the computer account fails to join the OU because the OU(s) don’t have the correct join account permissions set. For IT professionals using SCCM or MDT for Windows 10 / Server OS deployment, you may experience failures during the domain join process of your task sequence.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |