HOW TO: Create a dedicated account to join computer to a domain
  • KB ID: KB-01026
  • Created: 09/13/2017 8:46 AM
  • Updated: 09/13/2017 8:51 AM
  • Views: 4869
  • 1 Ratings


A domain join will work as long as the computer object has not been touched (moved or recreated) from a domain administrator account. After this a re-join does not work and the computer account has to be removed before a join works.

More Information

During the ASetup phase (When Windows gets configured by Columbus and lock-screen is visible) the join to domain writes to log “2224 Computer Account already exists”. The computer doesn't get rejoined into Active Directory because the old join-data is visible.


If a computer account gets moved the last user account is marked as owner. To reset this ownership the join account needs additional rights.


Follow these steps:


  1. create a standard Windows user account.  
  2. right-click on the Computers Organisation Unit (OU) within your AD domain.  
  3. from the menu choose Delegate Control
  4. on the next screen (Users or Groups) choose Add and select the user account you just created and click Next.  
  5. choose “Create a custom task to delegate” on the next screen:
  6. Next, choose to only delegate control to computer objects and tick Create and Delete selected objects in this folder and click Next:
  7. On the next screen choose to show general permissions and from the list select and click Next:

    • Reset password
    • Read and write account restrictions
    • Validated write to DNS host name
    • Validated write to service principal name





Did you find this article helpful?

© 2000-2018 Brainware Consulting & Development AG     Impressum / Legal Notice  |  Datenschutz / Privacy Policy