You basically need to delegate "Reset Password", "Validated write to DNS host name", "Validated write to service principal name", "Account Restrictions"
Have you taken the user right to add computers to the domain into consideration? Also are you changing the field "The following user or group can join this computer to a domain"? This defaults to Domain Admins, and you need to change it to their own account or a security group that they're a member of. From: Robert Peterson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2008 11:53 AM To: Active Directory Admin Issues Subject: AD permission help needed Can anyone help? I want to allow a specific tech to "join" a computer to our domain. The computer objects will already exist in a specific sub container. I plan to create these via a bulk import. The tech will then build the computer and rename it to it's pre-made AD name and join it to the domain. I've tried delegating various rights, but they all seem to address "creating" objects. I just want him to be able to join a computer to an existing object. I keep getting an "access denied" error. Any ideas? Thanks, Robert ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
