After a specific user or a specific group is provided with the permission to add or to remove computer objects to the domain on an organizational unit (OU) through the Delegation Wizard, users can't add some of the computers to the domain. When the user tries to join a computer to a domain, users may receive the following error message:

Access is denied.

Administrators can join computers to the domain without any issues.

Users who are members of the Account Operators group or who have been delegated control can't create new user accounts or reset passwords when they sign in locally or when they sign in through Remote Desktop to the domain controller.

When users try to reset a password, they may receive the following error message:

Windows cannot complete the password change for username because: Access is denied.

When users try to create a new user account, they receive the following error message:

The password for username cannot be set due to insufficient privileges, Windows will attempt to disable this account. If this attempt fails, the account will become a security risk. Contact an administrator as soon as possible to repair this. Before this user can log on, the password should be set, and the account must be enabled.

Cause

These symptoms may occur if one or more of the following conditions are true:

A user or a group hasn't been granted the Reset Passwords permission for the computer objects.

A user or a group cannot join a computer to a domain if the specified user or specified group does not have the Reset Password permission set for the computer objects. Users can create new computer accounts for the domain without this permission. But if the computer account is present in Active Directory already, they will receive the "Access is denied" error message because the Reset Password permission is required to reset the computer object properties for the existing computer object.

Users have been delegated control of the Account Operators group or are members of the Account Operators group. These users haven't been granted the Read permission on the built-in OU in "Active Directory Users and Computers."

Resolution

To resolve the issue in which users can't join a computer to a domain, follow these steps:

Select Start , select Run , type dsa.msc , and then select OK .

In the task pane, expand the domain node.

Locate and right-click Builtin , and then select Properties .

In the Builtin Properties dialog box, select the Security tab.

In the Group or user names list, select Account Operators .

Under Permissions for Account Operators , click to select the Allow check box for the Read permission, and then select OK .

If you want to use a group or a user other than the Account Operators group, repeat steps 5 and 6 for that group or that user.

Close the "Active Directory Users and Computers" MMC snap-in.