I am trying to sue Delegation to elt users in a remote office join their laptops to our domain without making these users Domain Admins. So to test I created a Group called "DelegationTest". Within the group I created a User named "TestUser1". This user has Domain User rights. The I followed these instructions I found online for Delegation:
Click Start, click Run, type dsa.msc, and then click OK.
In the task pane, expand the domain node.ocate and right-click the OU that you want to modify, and then click Delegate Control.
In the Delegation of Control Wizard, click Next.
Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
In the Permissions list, click to select the following check boxes:
Read and write Account Restrictions
Validated write to DNS host name
Validated write to service principal name
Click Next, and then click Finish.
Close the "Active Directory Users and Computers" MMC snap-in
After that I took a laptop and removed it from the domain and deleted computer from AD. I waited an hour and forced SYnC ALL on my DC. I am now trying to join to the domain using the Testuser1 account., It errors saying:
The join operation was not successful. This could be because an
existing computer account having the name "Laptopname" was previously created
using a different set of credentials. Use a different computer name, or
contact your administrator to remove any stale conflicting account.