We’re in a situation where the customer wants us to avoid installing anything on a DC. Can we domain join using another server in lieu (has LOS to DC)
I’m sure script can probably be written to do this, yes, but the current script implementation assumes and requires at least one agent on a domain controller. This (in my opinion) is a more secure option than having to store and transmit domain admin credentials to perform the join from a LOS machine as opposed to running the script on the domain controller in system context without the need for domain admin credentials to be saved or transmitted.
The concern that was brought to us had to do with having an agent with fully access to the domain controller. Our customer was seeking a way to minimise access tot he agent.
I was thinking of executing the actual command on a machine with RSAT. With immy running under a service account.
This currently concerns me → Get-OfflineDomainJoinToken
Is there a way to run that against a non-DC machine or does that function have to be rewritten? I can just copy the majority of the existing domain join as is.
The service itself can run on an MSA