I'm in the process of putting together a puppet recipe which will install Likewise Open on Linux machines and join them to a specific OU in our AD structure.
Since the only practical way to do this involves storing the credentials of an AD user in plain text in the puppet manifest, I want to create a dedicated AD user which only has rights to join computers to a specific OU.
I recall doing something like this years ago but I'm a little rusty on the details.
I have already created an AD user and made sure it is in the Domain Guests group rather than Domain Users, but I'm not sure of the exact details I should use when I delegate rights to this user on the OU.
Can someone tell me the specific options and rights I need to use in the Delegate Control wizard?
I would recommend creating a group named something like Account Management Computers, to which you would add this account as a member. This way you can always modify the group members to update delegation without changing the ACL.