Manually granting write permissions for a computer account

If the domain that the managed computer is joining does not have at least one Windows Server 2008 R2 domain controller, you must manually grant write permission for the Operating System Version and msDS-supportedEncryptionTypes attributes to the computer account of the joined computer.

To grant write permission for required attributes to the computer account

  1. Open Active Directory Users and Computers or ADSI Edit.
  2. Expand the Computers container and select the computer that is joining the domain, right-click, then click Properties.
  3. Click the Security tab, then click Advanced.
  4. Click Add.
  5. In the “Enter the object name to select” field, type SELF and click OK.
  6. Click the Properties tab, select This object only from the Apply to list, then scroll down and click Allow for the following attributes:

    • Write msDS-supportedEncryptionTypes
    • Write Operating System Version
  7. Click OK in each dialog box to close the dialog and save the new permissions.