Place a computer object in an OU based on the user who added it

Have them use netdom to join the machine to the specific OU they manage:

netdom help join
The syntax of this command is:


NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]
           [/PasswordD:[password | *]]
           [/UserO:user] [/PasswordO:[password | *]]
           [/PasswordM:[password | *]]
           [/ReadOnly]
           [/REBoot[:Time in seconds]]
           [/SecurePasswordPrompt]

NETDOM JOIN Joins a workstation or member server to the domain.

machine is the name of the workstation or member server to be joined

/Domain         Specifies the domain which the machine should join. You
                can specify a particular domain controller by entering
                /Domain:domain\dc. When /ReadOnly option is used, you
                must specify a domain controller.

/UserD          User account used to make the connection with the domain
                specified by the /Domain argument

/PasswordD      Password of the user account specified by /UserD.  A * means
                to prompt for the password

/UserO          User account used to make the connection with the machine to
                be joined

/PasswordO      Password of the user account specified by /UserO.  A * means
                to prompt for the password

/OU             Organizational unit under which to create the machine account.
                This must be a fully qualified RFC 1779 DN for the OU.
                If not specified, the account will be created under the default
                organization unit for machine objects for that domain.

/PasswordM      Password of the pre-created computer account, whose name is
                specified by the machine parameter. A * means to prompt
                for the password. This option must be used with /ReadOnly
                option.

/ReadOnly       Perform a domain join using a pre-created computer account and
                without performing any writes to a domain controller. This
                option therefore, does not require a writable domain controller.
                You must specify the domain controller (using /Domain option)
                and computer account password (using /PasswordM option)
                when the option is used. This option cannot be used with /OU
                option.

/REBoot         Specifies that the machine should be shutdown and automatically
                rebooted after the Join has completed.  The number of seconds
                before automatic shutdown can also be provided.  Default is
                30 seconds

/SecurePasswordPrompt
                Use secure credentials popup to specify credentials. This
                option should be used when smartcard credentials need to be
                specified. This option is only in effect when the password
                value is supplied as *

Windows Professional machines with the ForceGuest setting enabled (which is the
default for machines not joined to a domain during setup) cannot be remotely
administered. Thus the join operation must be run directly on the machine
when the ForceGuest setting is enabled.

When joining a machine running Windows NT version 4 or before to the domain
the operation is not transacted.  Thus, a failure during the operation could
leave the machine in an undetermined state with respect to the domain it is
joined to.

The act of joining a machine to the domain will create an account for the
machine on the domain if it does not already exist.


NETDOM HELP command | MORE displays Help one screen at a time.

Not sure what is more specific then pre-staging the computer objects in the correct OU. If you have already delegated this right to the admins, that would be the quickest / simplest way. You could use the netdom command as Jim pointed out, but that requires entering the correct LDAP path each time, which is error prone.

EDIT:

Another alternative if you have a Server 2008 R2 DC and are adding server 2008 R2 servers or Windows 7 clients is to use the Offline domain join.

The admins would have to provision the computer object using the following on Windows 7 or Server 2008 R2:

djoin /provision /Domain <domain> /Machine <PCName> /MachineOU <ldap Path> /Savefile <PCName>.txt

They could then copy the file to the computer to be added and run:

djoin /RequestODJ /loadfile <PCName>.txt /Windowspath C:\Windows 

This could be used to add the PC to the domain when it has not network connectivity.

You can use the delegate control feature in active directory to apply permissions on each specific OU that you want your guys to drop their computers into. One, caveat, they cannot have permission to add computer objects elsewhere in the domain, otherwise, it'll pick the first OU it finds (I think!?!).

For instance, say you have an OU called Other_Computers. 1. You'll right click that, select Delegate Control, click Next, and then select the user you want to delegate control to.

2. Then it gets tricky, instead of using the stock delegation tasks, you need to select "Create a Custom Task to Delegate".
3. Then select "Only the objects in this folder" and check "Computer Objects".
4. Then check "Create selected objects in this folder" (You can also select "Delete selected objects in the folder" if you want them to be able to delete computers) and click next.
5. Then, on the next screen, you have to select "Create All Child Objects" (also Delete all Child Objects if opted to Delete objects in the folder).
6. Then Next and Finish and your done.

Once, you've done that, assuming the user does not have rights to add a computer object elsewhere in the domain, any computers they add will automatically be added to that OU.