Unable to move Computer account to new ou after moving it once

I know that this is very late, but I accomplish similar functionality for clients without Infopath, but with System Center instead.

System Center Service Manager has a Self-Service Portal where IT staff can list services that they offer (create accounts, provision VMs, raise mail quotas, etc). System Center Orchestrator can capture the data input by the users into the portal and take custom actions, such as creating user accounts. All of this is capable of being integrated into SharePoint.

I actually had to set this up for myself recently. We have some custom code that does computer prestaging for new computers when they PXE boot and runs as a service account.

• Check for computer accounts in AD

Any user in the Domain Users group should be able to do this out of the box without any additional permissions unless you've changed default permissions in places or added Deny ACLs on things.

• Join computers to a domain (not restricted to 10, like a normal user)
• Delete computers from AD
• Move computers between OUs

For these, you first have to decide where you want this access to be given. It's easy to just grant permissions at the root of the domain, but not terribly wise. Usually, you have an OU or set of OUs where computer accounts live. So you should apply the following permissions to those containers specifically. Permissions to join a computer to the domain just requires the ability to create a computer account and set it's properties. Moving a computer between OUs requires the ability to delete the account from one place and create it in another. All that said, here's what permissions you need to grant on each OU:

• This object and all descendants
  • Create Computer objects
  • Delete Computer objects
• Descendant Computer objects
  • Read all properties
  • Write all properties
  • Change password
  • Reset password
  • Validated write to DNS host name
  • Validated write to service principal

I also have an additional bit of advice. Don't grant these permissions to the service account directly. Create a group like Computer Admins and make the service account a member of that group. Then, grant the permissions to the group. That way if you have additional people or service accounts that need the same permissions, you only need to modify the group's membership.