220.127.116.11.2.1 Security Considerations
In the case of Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system, in the absence of RIGHT_DS_CREATE_CHILD, computer object creation requires that the security constraints and state changes specified in step 13 of [MS-SAMR] section 18.104.22.168.4 be followed.
For application NC creation (see section 22.214.171.124.2.6), the requester must have sufficient permissions to create the crossRef object in the Partitions container on the domain naming FSMO, or to take over an existing crossRef object (in case of pre-created crossRef). See section 126.96.36.199.2.6 for more details.
If any attributes being added are marked in the schema as partition secrets (see the SE flag in section 2.2.9), the requester must have the control access right DS-Write-Partition-Secrets on the root object of the naming context to which the modified object belongs.