Back to Basic: Permissions needed in AD to “mess” with computers during OS Deployment

No, nothing new at all, this is more of a “Note”; I hate to look this up around my own notes when I troubleshoot things. This normally applies to the WDS account when WDS is installed on something else then the DC (which should be the case) or you use a BuildAccount in MDT LTI

The following permissions are needed in the OU where account X should be able to create computer accounts

Scope: This Object and all descendant objects

  • Create Computer Objects
  • Delete Computer Objects

Scope: Descendant Computer Objects

  • Read All Properties
  • Write All Properties
  • Read Permissions
  • Modify Permissions
  • Change Password
  • Reset Password
  • Validated write to DNS host name
  • Validated write to services principal name

/Mike – Over and Out

Categories: Uncategorized

Tagged as:

1 reply »

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.