Delegating Authority

[yanks2112]

Hello All

I'm trying to set up limited access for some of my admins. I want them to be able to create users, add/remove group membership, reset passwords and join computers to the domain. So far they can do all except join computers to the domain. When they log into a computer, the change computer name/join a domain is greyed out. Am I missing something, or is this something that cannot be done

Thanks

 

[alepore]

Here is what I did for a solution.....
1) Gave only doamin admins access to the built-in Computer folder in ADUC. This way, only I have access to create computer accounts there and if an admin doesn't do step 3 below, they get an access denied.
2) Created an OU that these lower level admins are responsible for. We have admins in each physical location so I gave the Charlotte admin the permission to create/delete computer objects and in the Charlotte\Computers OU. This way, they can only create and delete computer accounts to this OU and keep your ADUC organized. I have a root Charlotte OU that gives him Write All Properties that gets inherited down.
3) As long as these "admins" are local admins to the computer, all they have to do is create the computer account in ADUC BEFORE they join the newly created pc to the domain.

I hope this helped. Let me know if you have further questions.