Appendix G: Configuring Security for Domain User Accounts
When the Client Installation Wizard runs on the target computer, it prompts the administrator for domain credentials. This domain user account must have the following permissions to create, delete, and manage computer accounts in the Active Directory. Members of the Domain Admins or Account Operators groups already have the necessary permissions. If a team member wants to apply more minimal, granular privileges, he or she can create a domain global group named Installers with the necessary permissions, and add users to that group.
To create an Installers group (name the group anything), complete these steps using a Domain Admin account:
Launch Active Directory Users And Computers.
The left pane displays an icon representing the domain with a plus sign next to it; click the plus sign to expand the domain.
Create an Installers global group.
In Active Directory Users and Computers, from the View menu, click Advanced Features if it is not already selected.
Doing so shows the Security tab on the property sheet, which is essential for giving Installers the required permissions.
Right-click the domain icon, and then click Properties.
The domain properties sheet appears.
Click the Security tab, and then click Add.
In the Select Users, Computers, Or Groups dialog box, type Installers. Then, click OK.
In the domain property sheet, click Installers, and then click Advanced.
In the Advanced Security Settings dialog box, click installers. Then, click Edit.
In the Permission Entry dialog box, in the Permissions list, select Allow for the Create Computer Objects permission and for the Delete Computer Objects permission.
In Apply To list, select This Object and All Child Objects. Click OK.
In the Advanced Security Settings dialog box, click Add. In the Select User, Computer, Or Group dialog box, type Installers, and then click OK three times.
Now, add any users to the Installers group that will be used to install new computers.