The unity.ad domain was set up so that any authenticated user can "add a workstation to the domain"

Adding a workstation to the domain means that a computer account is created (a "service principal" in Kerberos-speak) which allows the domain controllers and workstations to authenticate each other and setup a secure cryptographic channel for private communications. The workstation can then accept policies, including those that set security settings, and allow logins for accounts held in the domain.

To configure the domain so that any user could join a workstation, two steps were taken:

1. The "Create Computer Objects" and "Delete Computer Objects" Access Control Entries (ACEs) for the OU=Computers,OU=Unassigned container were granted to to "authenticated users", following the recipie in MS KB 251335

2. The command

redircmp.exe "ou=Computers,ou=Unassigned,ou=Or ganizations,dc=unity,dc=ad,dc=ncsu,dc=edu"

was run as a domain admin, to set the default location for new computer accounts to appear.