Microsoft AD - Creating a user account for domain joins/binds
When joining lots of machines to a domain, it's normally a good idea to setup a specific account that can do this with the lowest level of permissions possible. Any domain user can be used to join a domain, however by default they are limited to performing the join operation 10 times.
To create a special domain user, which isn't limited to this, follow the steps below:
Login to your domain controller via RDP or another method.
Open the 'Active Directory Users and Computers' tool.
Select the organisational unit (OU) that you would like to create the user in, and press the create user button, as shown below:
Enter the new details for the user and click 'Next'.
Enter a password and ensure that 'User must change password at next logon' is unticked. Ensure 'Password never expires' is ticked (Optional) .
Click 'Next', then click 'Finish'.
Right click on the OU or container where computer objects will be created and select 'Delegate control'.
Click 'Next' when the wizard opens, then click 'Add' and enter the username for the user you just created.
FOR 2012, SKIP TO STEP 12
Ensure 'Join a computer to the domain' is ticked in the 'Delegate the following common tasks' list, as shown below.
Click 'Next', then click 'Finish'
Select Create a custom task to delegate
Choose Only the following objects in the folder and check the box Computer Objects. Check the box Create selected objects in this folder. Click Next.
Permissions – Select General, select Create All Child Objects. Click Next.