How do I delegate domain users to change passwords and join computers to domain?

I am not sure exactly what I am doing wrong here, however, I have ran the AD Delegation Wizard and added a Global Security group at the root of our Domain so that some of my users can change passwords and join computers to the domain.  I have not changed any settings in our Default Group Policy and when the users try and join the machines to the Domain they are getting "Access Is Denied"  

If anyone can point me in the right direction here it would be greatly appreciated.
Who is Participating?
AmericomConnect With a Mentor Commented:
Also, you don't want to delgate users to be able to reset password or even join computer to the domain at the domain level. It is too risky at this level, only Domain Admins should have access to this level.

Here's the suggestion:
If you need to have helpdesk folks to be able to join/disjoin computers to the domain, you need to do the followings:
1. Create a group, something like HelpdeskAdmins
2. Add all the needed users to this group
3. Create an OU where you want them to be able to move/remove the computer object to this OU after the object is added to the domain.
4. Delgate the permission of this OU where they can add and remove computer object to this OU.
5. You also need to delgate the add/remove computer permission to the default Computer container as by default the computer is added to the Computer container. Unless you pre-create the computer object in the above OU before they join the computer to the domain.

Hope this help but in case you need the steps for delgation:
Install GPMC if you haven't, and run the GPMC Console.
1. Right-click the OU which you want the computers added, and select Delegate Control.
2. click Next.
3. click Add.
4. After adding all the group, click Next.
5. Select Create custom task to delegate and click Next.
6. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and click Next.
8. Check the Create all child object box and click Next.
9. click Finish.

As far as resetting user password etc, use the same delgation process but instead to OU of computers, you would delgate to OU of user account..
Depening on the process of your user use to join computer to a domain. If you don't create the computer account first in the appropriate OU, then the computer account will be created in the "Computers" container which by default user do not have right to create any object there.
bob_kochanskiAuthor Commented:
Thanks much, worked perfectly.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.