Apparently you need the following to connect the ACS to the AD Domain -
Add workstations to domain user right in corresponding domain.
• Create Computer Objects or Delete Computer Objects permission on corresponding
computers container where ACS machine's account is precreated (created before joining
ACS machine to the domain).
I am being asked by the AD guy why we need this sort of permission
Does anyone Know ?
Those privileges are required because during the ACS-AD integration the ACS must create a Computer account under Domain Computers in AD, this is because for Microsoft AD all the authentication requests must come from a computer, so this ACS computer account is used for that purpose.
This is something that we cannot avoid and you will notice that without those privileges the ACS will not join with AD, you will start getting error messages. Let me know if you need more information.