Delegating the Add/Remove computer rights

[damo26]

If you want to delegate the right to add/remove computers to ordinary users in an AD domain, check the following (Number 3 is crucial):

1. Do you have a group for users who only have the right to add/remove computers from the domain?

If yes, goto number 2.
If no, create such a group, and add authorised users.

2. Within AD delegate the permissions to "add/delete computer objects" to the group in 1 above.



***** - This is the key part, that we overlooked - *****

3. When creating a computer object, specify the group in 1 (above) as having the right to "...join the computer to a domain" (Page 1 of new object wizard)

4. Complete the wizard as normal

Note: This may seem obvious, but we've just spent a significant amount of time trying to allow two users the right to add/remove computers on our domain, so that they may work between our domain and a clients.
They could remove fine with the group that we created, however adding was a different ball game.
Creating a group and delegating the permission to add/remove objects, is not sufficient.
That group must be explicitly specified on the object as having the right to join the domain.