If an account does not already exist in Active Directory by default, a machine trust account for the system is automatically created in the default container for computer accounts (cn=Computers) as part of the domain join operation. The following users are allowed to perform domain join:
Domain administrator. Can join any number of systems to the domain with machine trust accounts placed in any containers.
Delegated administrator with authority over one or more Organizational Units. Can join any number of systems to a domain with machine account location designated in the Organizational Units they are responsible for.
Normal user with machine accounts pre-staged by administrator. Can join a system to the domain as pre-authorized by an administrator.
Normal user. Normally authorized to join a limited number of systems.
Active Directory Domain - The fully-qualified name or NetBIOS name of an Active Directory domain
User - An AD user who has credentials to create a computer account in Active Directory
Password - The administrative user's password
Additional DNS Search Path - When this optional property is specified, DNS queries are resolved against this domain, in addition to the primary DNS domain and the Active Directory domain
Organizational Unit - Specifies an alternative organizational unit in which the system's machine trust account will be created. The organizational unit is specified as a comma-separated list of one or more name-value pairs using the domain-relative distinguished name (DN) format, for example, ou=innerOU,ou=outerOU.
Use Pre-created Account - If the system's account exists and the specified Organizational Unit is not the one that the account is in, use the pre-created account.
The following list describes the configurable property for joining a workgroup.
Windows Workgroup - A workgroup