Saw simaler thread..... Here is the section we use. The catch is that if you do not supply a MachineObject domain join will attempt to in default Computer OU. Which begs the question. Does your account have access to that OU?
<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Identification>
<Credentials>
<Domain>ekc1</Domain>
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Username>LZ00905</Username>
</Credentials>
<JoinDomain>dev.ekc.kodak.com</JoinDomain>
<MachineObjectOU>OU=Workstations-Lab,OU=CST,OU=GDTS,OU=ROC,OU=US,OU=Americas,DC=dev,DC=ekc,DC=kodak,DC=com</MachineObjectOU>
</Identification>
</component>