I'm delegating control of an OU structure in AD. I've delegated control of an OU to a security group that i created in AD. The group has been delegated both the "Create Computer Object" & "Delete Computer object" permission. However members of this group cannot add computers to the AD Domain from the computer itself. The "Change" button of the "Computer Name" tab on the properties of the Computer is greyed out. They can add the computer name to the OU they have been delegated control, within ADUC, but cannot add the computer to the AD Domain from the computer itself. Is there a permission that i should have delegated during the delegate control wizard that will allow this?thanks in advance. paddy ryan

Changing domain membership on a computer is a privileged operation locally. In addition to needing the correct permissions on the OU to which the computer account will be added, they need local admin privileges on the computer whose domain membership is being changed. I can't recall off the top of my head but Server Operators and/or Power Users may have the required privileges. I'm not currently in a position to test this however.Paul Adare CTO IdentIT Inc. ILM MVP

i guess i could also add the security group, which i delegated control of the OU to, to the local administrators of the computer to give them the local privilages on the computer. correct?although this wouldn't solve my problem of allowing admins to add new computers to the domain. i guess i could add their accounts, or a security group, to the server operators group on the domain. i think!!!paddy ryan

Hi Paddy,Thanks for posting here. According to your description. You want to grant a user group to add desktops in the domain. If I have misunderstood you, please do not hesitate to let me know. From my research, you can simply grant the "Create Computer Objects" and "Delete Computer Objects" Access Control Entries (ACEs) to the User group to accomplish it. For your convenience, you list the steps blow: From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties. Right-click the Computers container, and then click Properties. On the Security tab, click Advanced. On the Permissions tab, click Add and add the user group to the list of permission entries then click View/Edit. Make sure the This object and all child objects option is displayed in the Apply onto box. From the Permissions box, click to select the Allow check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK. For more information, you can refer to KB251335 method 2: http://support.microsoft.com/kb/251335/EN-US/ Best Regards, Wilson JiaThis posting is provided "AS IS" with no warranties, and confers no rights.

thanks for replying Wilson. your solution is fine. however it wont allow administrators to add computers to the domain from the computer itself (right click "Computer" click Properties / Computer Name / Change and select domain instead of workgroup. i think the only way to achieve this is to make the administrators members of a group that is a member of the Local Administrators group on the local computer. is this correct?paddy ryan

Hi Paddy,You are correct. To open the computer properties / Computer Name / Change and slect domain instead of workgroup, you will need login as a member of the Local Administrators group on the local computer.Regards,Wilson JiaThis posting is provided "AS IS" with no warranties, and confers no rights.