Permissions to add/remove computer accounts from domain


We are running Windows 2003 AD.

I have an OU named StudentComputers.

I would like to give the Student Admins (security group: StudentAdmins) permission to add computers to the domain within the StudentComputers OU. There will be in excess of 100 computers they will be adding to the domain.

I've checked this link here:

But not sure if the info has changed.

Can anyone advise how I can do this, if I go to Delegate Control Wizard of the StudentComputers OU, then there is nothing to Add/Remove computers from Domain?

Any help appreciated!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike ThomasConsultantCommented:
You can select the advanced view in AD Users and Computers and set permission using the security tab
kam_ukAuthor Commented:
Thanks, but still can't see it?
Mike ThomasConsultantCommented:
"Create all child objects" is the permission you need to set on the OU, you may need to add the permission to the default computers container if you have no build process that creates the computer object on the correct OU.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

kam_ukAuthor Commented:
"Create all child objects" ah ok, so this actually gives the permission to add objects to the domain?

Thanks again.
Mike ThomasConsultantCommented:
Somewhat yes I just had to look this up to check as its been a while.

This article may help

Adding permssions to the OU will ensure that the Admin you want can move objects to the desired OU but you may want to add more permssions to allow them to manage those objects.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FemSteenkampIT managerCommented:
If you delegate the the create computer objects ( under  Create all child objects) to the Student Admins, they can bypass the need for increasing the limit of joining computers to the domain by prestaging the computer account in AD (create computer object in AD before the computer is joined to teh domain) Then when you join the computer to the domain, it will find a computer object already exists within ad , with the same name, and associate the joining computer to that account. This way they can use the default "join to domain" wizard.

if just the deligation is done, you will have to use scripts (vbscript/powershell, or tools like NETDOM) to specify in which lcation (OU)  the newly added computer needs to be placed, if no location provided all newly joined machines will be in default location ( at install time is computers, but this location can be changed as a new default for all joining computers to domain)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.