Our windows admin is reluctant to create an account to be programmed into the K2000 to join machines to the domain post-install with the permissions recommended by our KACE system engineer (see below). Are any of YOU doing something similar? What do you recommend for permissions on such an account?

The Device Management team would like to request a service account for sole the purpose of joining/re-joining computers to the domain in imaging and OS install processes for the DM2 deployment appliance of Device Management. It should be a bare minimum account with the following permissions on the OU ComputersOU.


·         This object and all descendants

o   Create Computer objects

o   Delete Computer objects


·         Descendant Computer objects

o   Read all properties

o   Write all properties

o   Read Permissions

o   Modify Permissions

o   Change password

o   Reset password

o   Validated write to DNS host name

o   Validated write to service principal


0 Comments   [ + ] Show Comments


Please log in to comment



I have 2 kace users. 

The first is to get to the wim shares on other servers nothing else.

The second is to join to the domain and autologin after with.  The only people who will see the scripts with the password have the same level of access any way.  We did have to also allow modify computer objects so we could reuse the names already in the domain for the classroooms.

Answered 02/12/2013 by: SMal.tmcc
Red Belt

  • This is exactly what we do also, one user to join computers to the domain and another user for accessing images on file shares.
Please log in to comment

A Follow up:

The biggest problem our Windows sys admin has is with the permission “Write All Properties”. He said, "This would allow that account to be able to set the permission “Trust this computer for delegation” which is a very dangerous thing."

From my understanding for the service User to have the rights to re-install a system they did not join to the OU initially they will require "Read all Properties", "Write all Properties", "Change Password", and "Reset Password" rights on the computer object.

I believe our users that have access to join to domain don't have these secondary rights they only have Create and Delete Computer objects. And they would be the ones with access to the K2000.

Answered 02/13/2013 by: erush
Yellow Belt

Please log in to comment

Out of the box any user (domain admin or not) can add a PC to the domain, but on a maximum of 10 times.

If you want this user to be able to add a machine more than that but not have the domain admin rights then use delegation in AD

Taken from this link - http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

Its for 2000 but it does work for subsequent versions.

Delegate rights using Active Directory Users and Computers:

1. Open the

Active Directory Users and Computers


2. Right-click the container under which you want the computers added, and press Delegate Control.

3. Press Next.

4. Press Add.

5. After adding all the users and/or groups, press Next.

6. Select Create custom task to delegate and press Next.

7. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and press Next.

8. Check the Create all child object box and press Next.

9. Press Finish.

Answered 02/16/2013 by: -mrk!!-
Yellow Belt

Please log in to comment
Answer this question or Comment on this question for clarity