I've been experimenting with Windows Deployment Services on Windows Server 2012 R2, trying to deploy a Server Core and join it to a domain unattended.
However, when performing Unsecure Join, the "test-user" can only succeed when JoinRights is set to Full with the following command:
WDSUTIL /Set-Device /Device:test-wds-client /JoinRights:Full /User:test-user
Whereas setting JoinRights to JoinOnly will always result in failure 0x80070005, i.e. access denied. As the WDSUTIL doc says,
JoinOnly requires the administrator to reset the computer account before the user can join the computer to the domain.
I've reset the computer account in both the WDS MMC console and the Active Directory Users and Computers, but neither way worked.
Inspecting the computer account, its ACL has 2 more deny ACEs for "test-user" in the beginning, when JoinRights is set to JoinOnly compared to Full. One ACE is changing the password and the other is resetting the password.
Therefore, with these deny ACEs it seems to be impossible for "test-user" to join the computer to the domain. Is my interpretation correct?