Manually granting write permissions for a user account

If the domain that the managed computer is joining does not have at least one Windows Server 2008 R2 domain controller, you must manually grant write permission for the Operating System Version and msDS-supportedEncryptionTypes attributes to the user account used to join the computer to the domain.

  1. Open Active Directory Users Computers or ADSI Edit.
  2. Expand the Computers container and select the computer that is joining the domain, right-click, then click Properties.
  3. Click the Security tab, then click Advanced.
  4. Click Add.
  5. In the “Enter the object name to select” field, type the name of the Active Directory user who will join the computer to the domain and click OK.
  6. Click the Properties tab, select This object only from the Apply to list, then scroll down and click Allow for the following attributes:

    • Write msDS-supportedEncryptionType
    • Write Operating System Version attributes
  7. Click OK in each dialog box to close the dialog and save the new permissions.