A RIS service needs to create a Machine Account Object (MAO) in the domain, to finish setting up a client.
For pre-staged clients that already have a machine account created, certain rights need to be granted to allow users to install.
The credentials of the user who logs on using the Client Installation Wizard (CIW) are used to create the machine account, so the rights on the default container that hold the machine account needs to be modified to grant these rights.
RIS places all newly created MAOs in the Computers container, but you can modify this by editing the properties of the RIS server, using the Active Directory Users and Computers snap-in.
NOTE: To view/change the security attributes of an object in the snap-in, you must check Advanced Features on the View menu.
The options available are:
Users can create their own machine accounts (Low security) - For this option, modify the security on the container that will hold the new MAOs to include an Access Control Entry (ACE) for the user (or group) allowing the Create All Child Objects permission. The creator of this object becomes the owner, giving the creator full control of this object only. This option allows the user to reinstall, if required, without administrator assistance.
All machine accounts are pre-staged. (High security) - Pre-staged systems are those for which the MAO is created ahead of time, in preparation for a user installing the system. With this option, you should set:
User cannot re-install the system on the Computer object, NOT the container.
Read all Properties and Write all Properties on the Computer object, NOT the container.
User can re-install the system - requires Read all Properties, Write all Properties, and Reset and Change Password on the Computer object, NOT the container.