Announcement

Collapse
No announcement yet.

Account operators cannot always join the domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Account operators cannot always join the domain

    Hi all, we've been having sporadic problems with computers unable to join the domain using account operator authentication. I am a domain admin and will oftentimes (well 5% of the time) have to join pcs to the domain for the other technicians. I originally suspected that a gpo on a bad ghost disc was causing the issue. I'd take a clean group policy folder from another computer, overwrite the sys32 folder with it and it would work for 50% of those machines. Unfortunately we have thousands and thousands of machines here and it would simply be impossible to reghost them all, so I've been trying to track down a more specific cause, but have been unsuccessful.

    We had a case where 16 identical computers were made using the same ghost. Approximately 5 of these were able to join the domain using account operator logins. After applying the new group policy folder another 5 of these were able to join the domain. The remaining six were unable to join without using my login/pass. We used the same network cable for all of these machines. What policies might be restricting this? Any other ideas for other possible causes?

  • #2
    Re: Account operators cannot always join the domain

    What's the error you get when domain joining fails with "Account Operator".

    Regards,
    Kapil Sharma
    ~~~~~~~~~~~~~
    Life is too short, Enjoy It.

    Comment


    • #3
      Re: Account operators cannot always join the domain

      Access denied

      Comment


      • #4
        Re: Account operators cannot always join the domain

        Does the Account Operators group have the "Add workstations to Domain" policy on all DCs? Maybe its only set on 50% of the DCs and depending on which DC the client hits its either denied or granted.

        Comment


        • #5
          Re: Account operators cannot always join the domain

          read the answer to your question here:

          Error message when non-administrator users who have been delegated control try to join computers to a Windows Server 2003-based domain controller: "Access is denied"
          its easier to beg forgiveness than ask permission.
          Give karma where karma is due...

          Comment


          • #6
            Re: Account operators cannot always join the domain

            I dont think it should matter since Account Operators are a built-in group but I went ahead and defined the OU to that specific User Right Assignment policy anyway. I guess time will tell if it works.

            Again, the thing that's been making it so difficult to troubleshoot is the complete randomness of the event. ~5% of machines only. Thanks again for the tips and nice article link James. Missed that one in my Google searches. If it happens again I'll try it out.

            Comment


            • #7
              Re: Account operators cannot always join the domain

              Fixed

              James wins the prize. Account Operators aren't granted read permission on the built-in OU. Always assumed that they could by default. Applied the fix and it works perfectly now.

              Comment

              Working...
              X