Need user that can add and remove computers from domain

How can I allow a user to join  and remove computers from our domain without making them domain admins?  Our computer objects are created in different OUs, but all OUs are under OurOrg_Computers.  I have created a user called DomainMgr, what must I do to give him the ability to add and remove computers from our domain?
Who is Participating?
Shabarinath RamadasanConnect With a Mentor Infrastructure ArchitectCommented:
Use delegation on the required OU.
Using Active Directory Users and Computers
-> Browse to the OU which you have all computers
-> Right Click and select Delegate Control.
You need to select the right option to add /remove computer objects
Thats all you need.

Always give the least permissions - Thumb rule in IT Infrastructure Security.

Good luck
Yes , Go through the above mention steps:-
i.e From Adminstrative tools--Active Directory Users and Computers--Browse to the OU which you have all computers--Right Click and select Delegate Control--And selection the option to add /remove object.
Mohamed KhairyConnect With a Mentor Enterprise Solutions ArchitectCommented:
By default, any authenticated user has the right to join computers and can create up to 10 computer accounts in the domain and to accomplish your request, you have to delegate the appropriate user rights through the Active Directory Users and Computers console as previously explained on experts comments but you have to take care from the permission step because you may receive the access denied error message.

Here are the detailed steps as came in Microsoft article:

1- Click Start, click Run, type dsa.msc, and then click OK.

2- In the task pane, expand the domain node.

3- Locate and right-click the OU that you want to modify, and then click Delegate Control.

4- In the Delegation of Control Wizard, click Next.

5- Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.

6- In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

7- Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.

8- Click Next.

9- In the Permissions list, click to select the following check boxes:

- Reset Password
- Read and write Account Restrictions
- Validated write to DNS host name
- Validated write to service principal name

10- Click Next, and then click Finish.

11- Close the "Active Directory Users and Computers" MMC snap-in

Wish this may help.


Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Krzysztof PytkoSenior Active Directory EngineerCommented:
You can also simply add user or group into Account Administrators grup in AD. It will solve your needs
Mohamed KhairyEnterprise Solutions ArchitectCommented:
@ iSiek: Administrators can join computers to the domain without any issues and I think that bpl5000 is asking about granting the mentioned right or access to an ordinary user which can be a member of helpdesk team or his delegate and in this case he don't want him/her to be granted unnecessary rights.

It a way of security nothing more than that.

bpl5000Author Commented:
@mkhairy, that is very interesting about the access denied error even after being delegated permission to do so.  I guess what I'll first do is set things up the way shabarinath has suggested and if I get errors, I'll do the steps that you listed.

Thanks for all the help!
Mohamed KhairyEnterprise Solutions ArchitectCommented:
you are most welcome, wish you all the success.
bpl5000Author Commented:
I am just now following shabarinath instructions, but there doesn't seem to be an option of "add /remove computer objects" when delegating on an OU.  I see Create, Delete and Manage User Accounts, but nothing about computer accounts.
bpl5000Author Commented:
Ok, it seems to me you need to go to the Properties of the OU, then the security tab, then Advanced, then add the users with the rights to Create Computer Objects and Delete Computer Objects.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.