I've decided to review delegated permissions our branches have over Active Directory computer objects and reorganize things a bit.
One thing which stunned me is the fact that I need (according to lore all over the Internet) to grant Write All Properties to a security group in question over UO in which my computers are to rename the computer.
So I need to assign 1 permission to enable/disable computer account, 5 permissions to move computers between OUs and... to permit to write virtually every property of computer to simply rename a thing? WTF?
Is the Internet wrong? Are Microsoft nuts? What are you doing to restrict people simply to the renaming of computers?
There is no explanation on the web why such a mundane task as renaming computer should require such privileges which allows user to do pretty much anything with computer account beside renaming.
So that random hooligans/hackers/idiots/people who have no business doing this can't go around renaming computer accounts.
Imagine if an end user was able to rename computer accounts and they managed to rename the computer account for a Domain Controller, or an Exchange server, or any other computer account for a computer that's serving up a critical LOB application?
Through trial and error I figured out that minimal permissions to rename computer object in domain are (in c:\Windows\System32\delegwiz.inf format):
ObjectTypes = computer
[templateNN.computer]
cn=WP
name=WP
distinguishedName=WP
sAMAccountName=WP
CONTROLRIGHT = "Account Restrictions","Validated write to DNS host name","Validated write to service principal name"
To rename Computers in AD are the following permissions, applied to Computer Objects necessary: