You might be using an older ISE release, as I expected the error would have indicated more details (see my example below). If you just learning on your own and not entitled to open a TAC case, then please enable TRACE on the component active directory, retry this join operation, and check the log file ad_agent.log. Also, you should be able to enable some auditing in AD and please seek Microsoft support if you need any help on that.

Here is my error example:

Error Description: Access Is Denied
 
Support Details...
Error Name: ERROR_ACCESS_DENIED
Error Code: 5

Detailed Log:

Error Description : 
Cannot Open Machine Account ISE-1$ : Access Denied.

Error Resolution : 
Please Make Sure That User Employee1 Has Sufficient Permissions To Change Account ISE-1$ 

Join Steps : 
01:50:11 Joining To Domain DEMO.LOCAL Using User Employee1
01:50:11   Checking Credentials For User Employee1
01:50:11     Getting TGT For Account Employee1@DEMO.LOCAL 
01:50:11     TGT For Account Employee1@DEMO.LOCAL Was Retrieved Successfully 
01:50:11   Credentials For User Employee1 Were Verified 
01:50:11   Searching For DC In Domain DEMO.LOCAL
01:50:11   Found DC: Ad.demo.local , Client Site Is Default-First-Site-Name , Dc Site Is Default-First-Site-Name 
01:50:11   Generating Account Name For ISE Machine In DEMO.LOCAL
01:50:11     Searching For An Existing Machine Account 
01:50:11       Searching Object By Filter : (&(objectCategory=computer)(servicePrincipalName=host/ise-1.demo.local))  
01:50:11     Account: Ise-1 Was Found
01:50:11   ISE Machine Account Name Is : ISE-1$ 
01:50:11   Creating Machine Account ISE-1$ 
01:50:11     Connecting To AD Using DC Ad.demo.local 
01:50:11     Connection To Ad.demo.local Established
01:50:11     Opening Domain DEMO 
01:50:11     Domain DEMO Was Opened Successfully
01:50:11     Machine Account: ISE-1$ Already Exists , Opening Account.
01:50:11     Cannot Open Machine Account ISE-1$ : Access Denied.