Recently I got a question: what are the minimum required permissions to join vCenter appliance to AD? Do I need to use a domain admin account?
The answer is: No, you don't have to use admin account.
By default domain users (Authenticated Users) can add 10 machines to the domain. So it means that you can use normal user account to join vCenter Appliance to domain.
I checked on Windows 2012 R2 by creating a domain user and used it for joining vCenter Appliance to domain.
A virtual machine vCenter-Test has been joined to AD:
If you have prevented Authenticated Users from joining Workstations to domain, you can use Delegate Control to allow it. The minimum required permissions on Computer Object are:
- Reset Password
- Read and write Account Restrictions
- Validated write to DNS host name
- Validated write to service principal name
For more information, please follow links:
http://technet.microsoft.com/en-us/library/cc780195%28v=ws.10%29.aspx.
