Restrict permissions to only allow joining PCs to Domain

Because of all the new security regulations being pushed on us I need to buckle down on the permissions in our domain.  We currently have a userID setup in AD that is used to join the domain automatically in SysPrep on a new image. The password is set to never change (a security risk), but I can live with that if the userID is locked down and can ONLY join computers to the domain.  I don't want it to be able to login or do anything else.  Is this possible?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A roaming profile would be one solution.  That way, the user that is logging on has his/her profile located on the server and is loaded every time they loggon - no matter which computer.
dannyd74Author Commented:
The userID is not associated with a real person.  The userID is simply there in the sysprep answer file to automatically join the domain on a new image.  That's its only role.
I don't see why you couldn't do that, but I think it might not be a good idea. Accounts that don't have real people attached to them have a way of taking on a life of their own. Even though your intent is for the user account to never be able to do anything other than join machines to the domain, somewhere down the road, somebody will end up putting it in a group that has more rights than you wanted and so forth.

I've lived out this scenario. A number of us once had to work late to patch machines so we created a user id and a login script that ran the commands needed to patch the machine so we would only have to logon to the machine and move on to the next. We had every intention of using this for two nights. Months later, we were arguing with management because the help desk felt like they needed an account with domain administrator priviliges and they wanted to use this generic account that we had not been allowed to delete because it was handy. Cripes. The help desk with domain admin rights with a generic user id to boot!  

It is always best to stick to your guns and make people use their own user id's and passwords. If help desk technicians are going to be installing the images, let them have the privileges they need. It may not be as convenient, but it will absolutely be worth it to you and the security of your network in the long haul.
Sure this is possible -- simply add change the account in AD such that it cannot log on to any workstations (in the account tab-->log on to... button iirc).  Then, in your domain security policy in the User Rights Assignment section add the username (or perhaps make a "joiner" group) to the "Add workstations to domain" setting.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dannyd74Author Commented:
Thanks anom.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.