Implementing "Protected Users" and coming across this problem that I couldn't find a solution to anywhere. Cannot join computers to the domain with delegation permissions. Instead "Add workstation to the domain" right was assigned to a group.
Extensive background:
It is my understanding that members of protected users will be forced to use Kerberos authentication. In fact that's something I see when trying to join a workstation allowing a member of this group the following permissions on the Computers container:
Delegation at the "Computers" container:
Create computer objects - This object and all descendants
Read/write account restrictions - Descendant Computer objects
Validated write to service principal name - Descendant Computer objects
Validated write to DNS host name - Descendant Computer objects
Create all child objects - Descendant Computer objects
Reset password - Descendant Computer objects
Tested on two users: a user with "Protected Users" group membership and a user without "Protected Users" group membership. Both users are part of the delegation group.
Test itself:
When trying to add a computer to the domain a user without Protected Users group successfully adds the workstation to the domain. A user with Protected Users group will receive an error: "Account restrictions are preventing this user from signing in". I can see the NTLM authentication failure under the ProtectedUserFailures-DomainController
However changing the group policy to allow "Add workstations to the domain" by adding the group both users belong to will change the outcome to success on both. Now I can see info under ProtectedUserSuccesses-DomainController with Kerberos authentication.
So my question is: What mechanisms are in play and what permissions can I delegate to achieve the same result, or is this not possible? How come the user right allows this action to be completed for a member of "Protected Users" group, while simple delegation does not?
Before anyone asks, this was tested and works in prod as well as a simple test environment you can recreate with the info above.