2Sweet said:
I have an AD account solely for the purpose of joining workstations as a
domain member. What are the rights to be granted to this account?
Look into doing this with PERMISSION on the Parent AD Organizational
Units rather than using Rights*.
You should be able to get the least amount of privilege using this approach,
perhaps as little as just the permission to add computers there.
*Rights and Permissions are NOT the same thing on Windows systems
although for some tasks there is an overlap between these privileges.
Generally, rights are more generic (and perhaps more powerful) but there
is no accurate comparison as they really are used quite differently for MOST
tasks.
Rights are given directly to a "Security Principle" (group or user mostly)
and
permissions are actually ON THE OBJECT that lets the group or user to
something TO IT.
Right were needed for adding workstations to the domain in NT since NT
had no granual permission on the accounts database.
Win2000 and later AD has the ability to set PERMISSIONS on any OU (tree)
of the Directory and thus much more closely (granullary) control the same
basic privilege.