3

I have the following under RULES for under the properties window for deployment:

JoinDomain=MYDOMAIN
DomainAdmin=MYID
DomainAdminDomain=MYDOMAIN
DomainAdminPassword=MYPW

Is it safe to add the main Admin account there or do I need to create one that only has the power to join a computer to the domain?

Jason
  • 3,821
  • 17
  • 65
  • 106

1 Answers1

3

In my opinion, always create an account for a specific job such as this.

You will probably need to take into consideration as to where you've put your MDT Deployment Share.

Some people tend to leave the Deployment Share on the boot drive of the WDS server or in some other easily accessible place in which the NTFS permissions aswell as Share permissions read : Everyone : Full Permission.

The values you input are ultimately stored in plain text : DeploymentShare\Control\CustomSettings.ini

This means that if your deployment share is left with very open permissions, a domain user can quite easily browse to the location and read those credentials.

So to conclude, I think it depends on whether you've secured your deploymentshare from curious end users, although I always think it's best practice to create a dedicated account to handle processes such as this

Mbond65
  • 166
  • 6