Add computer the account already exists

Allow Domain User To Add Computer to Domain In this post you will see how to allow domain user to add computer to domain. This is basically allowing a user to join the workstations to the domain. You might say that a domain user can join the computers to the domain so what’s wrong? Okay, here is the right information, by default any authenticated user has this right and can create up to 10 computer accounts in the domain. If the user tries adding the 11th computer to the domain he gets the error.

As per Microsoft users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The difference is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.

There are 2 ways to allow domain user to add or join computer to domain.

1) Assign rights to the user/group using the Default Domain Group policy.

2) Delegate rights to user using Active Directory Users and Computers.

Method 1 – Assign rights to the user/group using the Default Domain Group policy

To allow an user or group to add a computer to a domain you can perform the below steps.

Login to the domain controller and launch the Group Policy Management console. Right click the Default Domain Group policy and click Edit.

Navigate through Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Expand User Rights Assignment. On the right hand side double-click Add workstations to Domain policy.

Check the box Define these policy settings. Click Add User or Group and select the user or group. Click Apply and OK.

Method 2 – Delegate rights to user/group using Active Directory Users and Computers

Open the Active Directory Users and Computers snap-in. Right-click the container under which you want the computers to be added (In this example I am choosing the Computers container) and click on Delegate Control.

You will now see Delegation of Control Wizard. Click Next.

To add a user or group click Add. Once you are done click Next.

Tasks to Delegate – Click Create a custom task to delegate. Click Next.

Choose Only the following objects in the folder and check the box Computer Objects. Check the box Create selected objects in this folder. Click Next.

Permissions – Select General, select Create All Child Objects. Click Next.

Click Finish.

I successfully demoted an old domain controller (Windows Server 2016) in a clean manner, cleanly removed the server from the domain, deleted the associated object in 'Computers' on Active Directory Users and Computers, but when I went to rename the new domain controller (Windows Server 2019) to the name of the old domain controller, I get the following error:

So I scoured Active Directory Users and Computers, DNS Manager, Active Directory Sites and Services, and even the registry on the domain controller itself. I've restarted the domain controller numerous times. There is no mention of the old domain controller's name, but I still get this error, regardless of whether I run Rename-Computer In Powershell, or NETDOM at the command line:

Now, the old domain controller was running Active Directory Certificate Services as well, but I removed all the data entries created by the old CA service from Active Directory Sites and Services.

Is there any place else to look for references to the old domain controller?