I am trying to give a user rights to add computers to the domain. According to documentation, I just need to give this person Create/Delete Computer Objects rights to the OU where computers are created. This fails with the message Access Denied.
If I add this user to the Account Operators group then they are able to add computers to the domain. The only problem with this is the Account Operators group has rights to Create/Delete Computer Objects, User Objects, Group Objects and InetOrgPerson Objects.
If I manually give the user these 4 rights they still get the Access Denied message. Only when I place them in the Account Operators group they are able to add computers to the domain.
What am I overlooking?