Announcement

Collapse
No announcement yet.

access denied when adding computer to domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • access denied when adding computer to domain

    Hi,

    We have WIN2k3 enviornment.

    I've delegated the right to add computers to the domain to an AD group via the delegation of control wizard
    .
    I delegated it over the computers folder and the members of the AD group is also a local admin on all workstations by GPO.

    However when anyone in this ad group tries to add a computer to the domain it says access denied.

    Is there something I'm doing wrong??

  • #2
    Re: access denied when adding computer to domain

    I don't think you can delegate to the computer container only -- it has to be at the domain (sorry, no AD in front of me to check on)
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: access denied when adding computer to domain

      Ossian,

      I'll give that a shot.

      I also tried a group policy applied at the computer container level giving hte "add computer to domain" user right to the AD group but that didnt do the work either.

      I'll either delegate control at the domain level or apply a GP at the domain level and see if that does the trick.

      Thank!!

      Cola123

      Comment


      • #4
        Re: access denied when adding computer to domain

        I tried delegating control to the AD group at the domain level and choosing "join computer to the domain" from the list in the delegation of control wizard.

        This didnt work.

        I tried creating a GPO that gave the AD group the add computer to domain user rights permission. I forced gp updated on the dc and rebooted a pc and tried to add it to the domain - this didnt work.


        Still saying access denied??

        Comment


        • #5
          Re: access denied when adding computer to domain

          Fixed it.

          Some bloke calle Jorge had the right info on his website.

          http://blogs.dirteam.com/blogs/jorge...01/05/369.aspx

          I followed the instructions here and it allows you to delegate the ability to add computers to the domain but only within a specific OU, via editing the delegwiz.inf file that controls what the delegation of control wizard does.

          I made the changes to the delegwiz.inf file, delegated control over the custom computers ou (i.e i've used redircomp to change the default folder computers accounts are created in) and when I went to add teh comptuer - this time no access denied. worke flawlessly.

          YAY!

          Comment


          • #6
            Re: access denied when adding computer to domain

            Well done, and thanks for posting back!

            Rep++
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: access denied when adding computer to domain

              It might be because the client uses a Lightweight Directory Access Protocol (LDAP) server or domain controller that has not yet replicated the account deletion, but does not have correct permissions to modify the account that still exists.

              To work around this behavior, use any of the following methods:
              • Use a different computer name.
              • Wait for Active Directory replication to occur, or force replication to occur by using the following command: repadmin /sync DomainDNtarget DSA GUID._msdcs source DSA GUID /force
              • Use a domain administrator account for the join process.
              Last edited by Wired; 5th April 2012, 04:16.

              Comment

              Working...
              X