Usually when you join computer to the domain, the account of this computer is created in Computers container.
I have a remote office and OU of this office in AD. That office has a local system administrator. He should be able to join computers in his office to the domain. I've gave him a permission to create computer objects in Computers container.
I want his computers to be in his office OU. So I gave him full control permissions on his OU and delete computer objects permission in Computers container. Actually I hoped it would let him move computer accounts from the Computers container to his OU. But he can't because of Access denied error. What have I done wrong? On the other hand I would prefer computer accounts which remote sysadmin creates by joining computer to the domain be created directly in his OU. Is there any way to implement this?