I am currently using windows server 2003 servers with Active Directory in Windows 2000 mixed functional level.
I recently took away domain admin privileges to all my IT staff, and now they are only domain users, just like any other regular user. I am trying to delegate control to them to the entire domain and allow them to add a computer to the domain.
I have a global security group created to which all IT staff members are members of.
So, I right click the root domain, and click delegate control, then I pick my IT security group, then I choose the option "Join a computer to the domain", then finish.
When anyone of my IT staff members tries to add a computer to the domain, it gives them an access denied. This is all done from the computer they are trying to add to the domain itself, they are not going into AD and adding the computer there.