Join machine to domain account for K2000
Our windows admin is reluctant to create an account to be programmed into the K2000 to join machines to the domain post-install with the permissions recommended by our KACE system engineer (see below). Are any of YOU doing something similar? What do you recommend for permissions on such an account?
The Device Management team would like to request a service account for sole the purpose of joining/re-joining computers to the domain in imaging and OS install processes for the DM2 deployment appliance of Device Management. It should be a bare minimum account with the following permissions on the OU ComputersOU.
· This object and all descendants
o Create Computer objects
o Delete Computer objects
· Descendant Computer objects
o Read all properties
o Write all properties
o Read Permissions
o Modify Permissions
o Change password
o Reset password
o Validated write to DNS host name
o Validated write to service principal