[ActiveDir] Rights needed to Rename Computer Object

[Clay, Justin \(ITS\)]

What rights are needed to delegate authority for people to rename computers that are joined to a domain? I know if I give Full Control of computer objects they of course can, but I’d like to limit the authority they have. I’ve so far tried:   From running a comparison of before and after a rename, it looks like it needs the following:   Write Computer name (pre-Windows 2000) Write displayName Write distringuishedName Write dNSHostName Write Name Write pwdLastSet Create/Delete service PrincipalName   Does that sound correct? I want to make sure I delegate enough authority for them to rename computers, but not enough to do anything else.   Thanks,   Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573   ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.