Move the default domain Administrator account to a new OU without breaking something

I actually had to set this up for myself recently. We have some custom code that does computer prestaging for new computers when they PXE boot and runs as a service account.

• Check for computer accounts in AD

Any user in the Domain Users group should be able to do this out of the box without any additional permissions unless you've changed default permissions in places or added Deny ACLs on things.

• Join computers to a domain (not restricted to 10, like a normal user)
• Delete computers from AD
• Move computers between OUs

For these, you first have to decide where you want this access to be given. It's easy to just grant permissions at the root of the domain, but not terribly wise. Usually, you have an OU or set of OUs where computer accounts live. So you should apply the following permissions to those containers specifically. Permissions to join a computer to the domain just requires the ability to create a computer account and set it's properties. Moving a computer between OUs requires the ability to delete the account from one place and create it in another. All that said, here's what permissions you need to grant on each OU:

• This object and all descendants
  • Create Computer objects
  • Delete Computer objects
• Descendant Computer objects
  • Read all properties
  • Write all properties
  • Change password
  • Reset password
  • Validated write to DNS host name
  • Validated write to service principal

I also have an additional bit of advice. Don't grant these permissions to the service account directly. Create a group like Computer Admins and make the service account a member of that group. Then, grant the permissions to the group. That way if you have additional people or service accounts that need the same permissions, you only need to modify the group's membership.

It should be noted that computer and user accounts can only "see" their respective portion of a group policy object. In other words, when a user account logs on, if it processes a GPO that only contains computer settings, that GPO it will appear to be "empty" to the user account because it did not contain any settings that the user account could see.

Unless GPResult is showing or not showing a policy setting it should/shouldn't be, then you can ignore errors about the GPO being empty.