Preparing a computer object

To prepare a computer account in a zone before joining, the following permissions apply to the user or group you want to designate as the trustee for joining the domain.

Select this target object	To apply these permissions
The serviceConnectionPoint object for the computer account	Click the Object tab and select Allow to apply the following permission to this object only: Read all properties Write keywords property Write displayName property
Computer account object in Active Directory For example, if the computer account name is AJAX: domain/Computers/AJAX	Click the Object tab and select Allow to apply the following permission to this object only: Read Permission Reset Password Write userAccountControl Validated write to DNS host name Validated write to service principal name Write to service principal name Write msDS-SupportedEncryptionTypes Write Account Restrictions Write Description Write displayName Write computer name (Pre-Windows 2000) Delete Delete Subtree All Extended Rights

Select this target object

To apply these permissions

The serviceConnectionPoint object for the computer account

Click the Object tab and select Allow to apply the following permission to this object only:

Read all properties
Write keywords property
Write displayName property

Computer account object in Active Directory

For example, if the computer account name is AJAX:

domain/Computers/AJAX

Click the Object tab and select Allow to apply the following permission to this object only:

Read Permission
Reset Password
Write userAccountControl
Validated write to DNS host name
Validated write to service principal name
Write to service principal name
Write msDS-SupportedEncryptionTypes
Write Account Restrictions
Write Description
Write displayName
Write computer name (Pre-Windows 2000)
Delete
Delete Subtree
All Extended Rights

The adjoin command resets the computer account and grants the computer’s SELF account the following permissions:

Write operatingSystem
Write operatingSystemVersion
Write operatingSystemHotfix
Write operatingSystemServicePack
Write altSecurityIdentities

Creating the computer object manually

If you use Active Directory Users and Computers to prepare the computer object instead of the Prepare Computer wizard, the following permissions must be granted on the computer for the trustee:

Select this target object	To apply these permissions
The serviceConnectionPoint object for the computer account	Click the Object tab and select Allow to apply the following permission to this object only: Read all properties Write keywords property Write displayName property
Computer account object in Active Directory For example, if the computer account name is AJAX: domain/Computers/AJAX	Click the Object tab and select Allow to apply the following permission to this object only: Read Permission Reset Password Write userAccountControl Validated write to DNS Host Name Validated write to service principal name Write Account Restrictions Write Description Write displayName Write computer name (Pre-Windows 2000) Write operatingSystem Write operatingSystemVersion Write operatingSystemHotfix Write operatingSystemServicePack Write altSecurityIdentities Write msDS-SupportedEncryptionTypes Delete Delete Subtree All Extended Rights

Select this target object

To apply these permissions

The serviceConnectionPoint object for the computer account

Click the Object tab and select Allow to apply the following permission to this object only:

Read all properties
Write keywords property
Write displayName property

Computer account object in Active Directory

For example, if the computer account name is AJAX:

domain/Computers/AJAX

Click the Object tab and select Allow to apply the following permission to this object only:

Read Permission
Reset Password
Write userAccountControl
Validated write to DNS Host Name
Validated write to service principal name
Write Account Restrictions
Write Description
Write displayName
Write computer name (Pre-Windows 2000)
Write operatingSystem
Write operatingSystemVersion
Write operatingSystemHotfix
Write operatingSystemServicePack
Write altSecurityIdentities
Write msDS-SupportedEncryptionTypes
Delete
Delete Subtree
All Extended Rights