I'm a linux admin by trade, and my new job has me managing windows servers.
I'm trying to create a windows server 2012 base image using packer. As part of the provisioning, the VM needs to be connected to active directory via a script. Obviously I don't want to put my personal password into the script.
Is it possible to create a user in Active Directory who has rights to bind a machine to AD, but can't perform any other actions (for compliance)?
Ordinarily, each and every Active Directory user can add up to 10 computer accounts to a domain, without the need to be a domain administrator; however, this behavior can be customized by domain policies, thus it might not be your case; and even if it was, you'd run into a problem as soon as the same user account needs to be used to add an 11th computer.
The proper way to go is to grant to this user account the special permission "Create Computer Objects" on the "Computers" container in Active Directory (where new computers are added by default), and/or on any other OU where new computers could be added (although is a bit more difficult to add them somewhere in the directory outside the default "Computers" container).
https://technet.microsoft.com/en-us/library/cc780195(v=ws.10).aspx
Sure, create your account, don't join it to any groups and put it somewhere in AD where it won't get any rights assigned by group policy. By default authenticated users can join computers to the domain, if this has been changed, you'll need to make sure your account is granted the Add workstations to the domain right via group policy. This is in Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. You can also do it by giving the account permissions on the OU where you want the computer placed. To do that grant the account the Create Computer objects permission on the OU you want it to use.