Preparing a computer object

To prepare a computer account in a zone before joining, the following permissions apply to the user or group you want to designate as the trustee for joining the domain.

Select this target object To apply these permissions

The serviceConnectionPoint object for the computer account

Click the Object tab and select Allow to apply the following permission to this object only:

  • Read all properties
  • Write keywords property
  • Write displayName property

Computer account object in Active Directory

For example, if the computer account name is AJAX:

domain/Computers/AJAX

Click the Object tab and select Allow to apply the following permission to this object only:

  • Read Permission
  • Reset Password
  • Write userAccountControl
  • Validated write to DNS host name
  • Validated write to service principal name
  • Write to service principal name
  • Write msDS-SupportedEncryptionTypes
  • Write Account Restrictions
  • Write Description
  • Write displayName
  • Write computer name (Pre-Windows 2000)
  • Delete
  • Delete Subtree
  • All Extended Rights

The adjoin command resets the computer account and grants the computer’s SELF account the following permissions:

  • Write operatingSystem
  • Write operatingSystemVersion
  • Write operatingSystemHotfix
  • Write operatingSystemServicePack
  • Write altSecurityIdentities

Creating the computer object manually

If you use Active Directory Users and Computers to prepare the computer object instead of the Prepare Computer wizard, the following permissions must be granted on the computer for the trustee:

Select this target object To apply these permissions

The serviceConnectionPoint object for the computer account

Click the Object tab and select Allow to apply the following permission to this object only:

  • Read all properties
  • Write keywords property
  • Write displayName property

Computer account object in Active Directory

For example, if the computer account name is AJAX:

domain/Computers/AJAX

Click the Object tab and select Allow to apply the following permission to this object only:

  • Read Permission
  • Reset Password
  • Write userAccountControl
  • Validated write to DNS Host Name
  • Validated write to service principal name
  • Write Account Restrictions
  • Write Description
  • Write displayName
  • Write computer name (Pre-Windows 2000)
  • Write operatingSystem
  • Write operatingSystemVersion
  • Write operatingSystemHotfix
  • Write operatingSystemServicePack
  • Write altSecurityIdentities
  • Write msDS-SupportedEncryptionTypes
  • Delete
  • Delete Subtree
  • All Extended Rights