There is a pre defined group Account Operators. However this may not be suitable as it will also allow the members to administer user accounts and log on locally to a DC. Instead edit the Default Domain Controllers Policy, or add a policy on the Domain Controllers OU.
Under Computer Configuration, Windows Configuration, Security configuration, Local directives, assign user rights add the group NONDOMAINADMINS to right "Add workstations to the domain". Regards Peter (nb above english is approximate as it is translated not literal) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
