The school system I work for has very tight security on their Domain Controllers. So much so that they do not want the network Administrator at each school to have Administrator Permissions on the entire domain. This creates an Interesting problem, as I need to find the exact individual permissions needed for these "Administrators" to be able to do their jobs. I have managed to set AD so that these "Administrators" can add a workstation to the domain, and create user accounts. The major problem i am having lately is they are getting an Access Denied error when using the Network ID wizard in WinXP. I need the exact permissions necessary for using the Network ID Wizard in WinXP without making them Domain level administrators. I have searched TechNet and couple of other forums and have had no luck finding the correct permissions. Any help would be greatly appreciated.
Servers - Server 2003 R2 STD SP2
Workstations - Mix of WinXP SP3, & Win2k