Join Computer to Domain Delegation

I am trying to sue Delegation to elt users in a remote office join their laptops to our domain without making these users Domain Admins.  So to test I created a Group called "DelegationTest".  Within the group I created a User named "TestUser1".  This user has Domain User rights.  The  I followed these instructions I found online for Delegation:

 Click Start, click Run, type dsa.msc, and then click OK.

 In the task pane, expand the domain node.ocate and right-click the OU that you want to modify, and then click Delegate Control.

In the Delegation of Control Wizard, click Next.

Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.

In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.

Click Next.

In the Permissions list, click to select the following check boxes:
Reset Password
Read and write Account Restrictions
Validated write to DNS host name
Validated write to service principal name

Click Next, and then click Finish.

Close the "Active Directory Users and Computers" MMC snap-in

After that I took a laptop and removed it from the domain and deleted computer from AD.  I waited an hour and forced SYnC ALL on my DC.   I am now trying to join to the domain using the Testuser1 account.,  It errors saying:

The join operation was not successful. This could be because an
existing computer account having the name "Laptopname" was previously created
using a different set of credentials. Use a different computer name, or
contact your administrator to remove any stale conflicting account.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
This is happening because the permissions are not correct. You said that you removed the PC from the domain and deleted the AD Object from the OU. So that being said when the laptop is rejoined to the domain it will create a brand new Computer Object and by default it will create it in the "Computers" container by default. If you set deligation to that user on a specific OU and new computer objects are being created in the Computers Container that user was not delegated control over that container which is why you are getting this error.

You can find out what your default computer locaiton is by using the following command...
Get-ADDomain | select computerscont*

If you set the delegation on this container the user should be able to add machines to the domain without any issues.

You can change the default computer object container using the redircmp command.

See link for details:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
What error message you are getting while joining the machine to domain?

Ensure correct dns setting is configured on cleint computer as this
1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
2. Do not set public DNS server in TCP/IP setting of client/member server.

Also check are any instances of faulty laptop present in DNS apart from computer object delete the same if any and perform rejoin operation.
Twhite0909Author Commented:
AWESOME that worked!  You = Ninja homeboy!

Now the only questions is we have several remote offices.  Is there a way for me to have these Offices each have an OU under Computers and when a Vegas office adds a computer it goes to Computers > Vegas Computers.  I'm trying to limit each location to have access over their own Domain adds and no one else's.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.