By default, an authenticated user can join up to 10 computers to a domain. Once they exceed 10 machines, (s)he will no longer be able to add any more computers to the domain. Ever. Neat!
So, in order to allow key users/groups to add computers to the domain, you’ll need to do the following:
1) Hop on an AD domain controller
2) Bring up “Active Directory Users and Computers” (Start > Run > dsa.msc)
3) Right-click on your domain and choose :Delegate Control…”:
4) Hit Next on the welcome screen and hit the Add button to add the users and groups you need, and then hit Next again:
5) Chick the box for “Join a computer to the domain” and hit Next:
6) Hit Finish to complete the wizard
7) Now you’ll need to remove the 10-item-limit… open ADSI Edit (Start > Run > adsiedit.msc)
8) Expand the tree until you see your domain… right-click on it and choose Properties:
9) Scroll down until you find the “ms-DS-MachineAccountQuota” item and click Edit:
10) Click the Clear button, hit OK, hit OK again, and close ADSI Edit:
This should make it so that selected users & groups can join computers to the domain without running up against the 10-item-limit.