In the series about my top 10 of new or renewed features in Configuration Manager 2012 Service Pack 1, I would like to dedicate this blog to a small but nice new feature while creating Task Sequences. While creating a Task Sequence you are able to configure a Domain Join account to be able to automatically join the operating system to the domain. Let’s see what is changed there, it is a small thing but I like it 🙂
In the RTM version of Configuration Manager 2012 you need to configure an account and password for joining the domain like shown below. Without the verify option the possibility of a wrong name and password combination was possible since there was only a check is the password was the same in both fields.
Looking at this same option in Configuration Manager 2012 Service Pack 1 you see a verify button that is added to the window.
Selecting this option will give you the option to test the username and password combination. Watch out, getting a result that the connection was successfully verified does not say that you will have the permissions to add the system to the domain.
You still need to arrange that your domain join account has the right permissions like shown below:
Do not use an account that is a member of the Domain Admins group, during the deployment the password will be written in plain text into the unattend.xml. Create an account with the following permissions on an OU where your Computer object are located or at the top level of the domain.
|Create Computer Objects||This object and all descendant objects|
|Delete Computer Objects||This object and all descendant objects|
|Read All Properties||Descendant Computer Objects|
|Write All Properties||Descendant Computer Objects|
|Read Permissions||Descendant Computer Objects|
|Modify Permissions||Descendant Computer Objects|
|Change Password||Descendant Computer Objects|
|Reset Password||Descendant Computer Objects|
|Validated write to DNS host name||Descendant Computer Objects|
|Validated write to service principal name||Descendant Computer Objects|
Let me know what new or changed ConfigMgr 2012 SP1 feature do you like the most and vote If you miss a feature, please let me know!
Earlier blogs in this series are:
- My top 10 new features of ConfigMgr 2012 SP1 – part 1, OSD enhancements
- My top 10 new features of ConfigMgr 2012 SP1 – part 2, Software Update Deployment
- My top 10 new features of ConfigMgr 2012 SP1 – part 3, checking status of Task Sequence deployment
after you Click the Button “Test Connection” retype the Password, if you dont retype the Wizard will save a empty Password in the Unattend.XML and your Domain join will fail 😉