Environment: 1 Win2008R2 Network Server (also domain controller) 13 or so Workstations.
Traditionally we've always used the server administrator credentials to join a workstation to a business domain network or 13 workstations. However we're now enforcing password policies and it's required that admin password will change regularly.
The network server admin account password was changed today as a result of this policy enforcement.
My network user account password that's used on my workstation also had to be updated.
I logged off my workstation and back in after being prompted to change the password. I was then required to enter Domain Admin credentials to access the domain. I suspect this was because the server admin account password was changed.
I had thought that as the workstation was already added to AD that it would be remembered, but the credentials still needed to be entered on the workstation.
So this had me thinking that there has to be a better/correct way to do this.
I thought I could create a Domain Admin user just for this purpose and set the password to never expire but I think that surely defeats the purpose in the first place of maximising security.
So what is the best way to do this.
I.E. When first adding/joining a workstation to a network domain, what Domain Admin credentials should be entered?
All of the articles and YouTube videos I've seen so far say to enter Administrator and it's password.
Please let me know if this requires further expansion.
Best Answer
Ideally, each technician/administrator should have at least two (if not more) accounts.
Accordingly, the technician's Workstation Admin account should be used to join the computer to the domain. Shared accounts - should be used only in situations where no other option is available. Alternatively, I could see an option where an automated deploiyment tool (like SCCM or something) could leverage a dedicated account with no access other than that of joining computers to the domain in a dedicated OU.
In order for it to work properly (aside from the first 10 workstations joined), you can refer back to this article: https://support.microsoft.com/en-us/help/932455/error-message-when-non-administrator-users-who-have-been-delegated-con (an oldie but a goodie). In short the steps are
The trick is that the workstation admin account should be a member of a group of "workstation admins" from there all access and permissions should be granted to the workstation admin group.