In October 2023, Microsoft made further changes to the way in which machines may be joined to a domain.
In a recent post, we spoke about the minimum permissions required to rejoin or prestage a computer within an Active Directory domain. That’s all fine for prestaging and rejoining but what are the minimum permissions required for a fresh domain join?
Let us consider that if we are looking to restrict or control permissions for domain joins, we now have to consider that fresh domain joins are not the same activity as rejoining a domain as different permissions are required. This means that we would need at least two accounts; one account for domain joins and one account for domain rejoins.
What is a fresh domain join?
A fresh domain join is essentially where the device does not exist in Active Directory prior to actively joining the device to the domain from the client.
What is NOT a fresh domain join?
When a computer object already exists prior to the join activity, alternate permissions are required in order to re-join the domain. This includes computer objects that are prestaged – even if they have never physically joined the domain.
Once a machine has been freshly joined, if it is rebuilt and the computer object still exists, it must be re-joined.
For more information on rejoining – check out Domain Rejoin or Prestaging – Minimum Permissions.
Now that we have that out of the way, what are the minimum permissions required for a fresh join?
The Join account must be assigned (either directly or via group) the following two rights on the OU/Container where the account will be joined:
Create/Delete Computer Objects – this object only
Create/Delete Computer Objects – Descendant Organizational Unit Objects
Example Computer OU permissions for T2 Computers
Once a machine has joined the domain, the resultant permissions transferred and assigned to the account that joined the computer to the domain are no-longer required and arguably represent an ongoing security risk.
In order to mitigate this risk, a script could be scheduled in order to:
- Remove any permissions that have been directly assigned to Domain Join accounts
- Change the owner of each computer to “Domain Admins”
Setting up specific Domain “Join” and “Rejoin” accounts can help secure your domain. This article talks about minimum domain join permissions. For more information on rejoin/prestaging permissions, take a look at this article:
Domain Rejoin or Prestaging – Minimum Permissions
