Configure admin account to have permissions to join machines to domain, but nothing else. Possible?

We have sysprep'd  a VM image that automatically (via sysprep.inf) joins the new VM's to the domain using a cloned domain admin account

at the the moment it has full admin privileges.

Is it possible to configure this user account to ONLY be able to join machines to the domain, and NOTHING else?

(worth doing as the hash of the pass is in the sysprep.ini file, & NTLM rainbow tables are getting quite complete these days.)

Who is Participating?
Create a normal user and delegate the add workstations to domain privilege to that user:
Hi Wibble_,

you can try using the delegation of control wizard in AD under the OU where the user account resides
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.