Re: Unable to add workstation to domain
From: Guido Grillenmeier [MVP] (guido.grillenmeierAThp.com)
Date: 06/29/04
- Next message: Andy Cadley: "Re: Domain User Right."
- Previous message: Marc Scheuner: "Re: Active Directory RSS feeds"
- In reply to: Darren Toews: "Unable to add workstation to domain"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 29 Jun 2004 11:47:59 +0200
this is usually a simple task
you don't change the User Rights - rather you'd want to replace
Authenticated Users with Domain Admin in the Add Workstations to Domain user
right to prevent Auth. Usr. from adding up to 10 machines (by default) to
the domain's Computer container.
setting permissions at the OU level is sufficient (grant permissions to
create computer objects at the OU level, then grant write permissions or
full controll for computer objects) - users of your Add Workstations group
will then either have to first create the computer object in the OU (e.g.
via ADUC) and then join the computer to the domain (via the client UI), or
you can join directly to the right OU via cmd-line using NETDOM tool.
/Guido
"Darren Toews" <dtoews@rrc.mb.ca> wrote in message
news:%23qXyWGVXEHA.3564@TK2MSFTNGP11.phx.gbl...
> Hi all,
>
> Have a problem that I wonder if you can help me with. We have a Windows
> 2000/2003 domain. The domain controllers are 2000 and the member servers
> are a mixture of 2000 and 2003.
>
> I have created various OU admin groups for our different department and
made
> the user objects for those users members of those groups. Now I have
tried
> adding all the OU admin group objects to a domain local group to which I'd
> like to delegate the ability to add workstations to the domain. I have
> tried doing this 3 different ways. 1) Using the delegation wizard, 2) Via
> Group Policy at the domain level (added the Add Workstation group to the
> list of users able to add workstations to the domain in the Computer
Section
> of the GPO under User Account Rights) and 3) editing the Domain security
> properties and manually adding the group in giving them read, read all
> properties and Create Computer Objects and Delete Computer Objects.
>
> None of these methods seems to work. I can add a workstation with the
> domain admin account and with an account that is a member of the domain
> admins group so it does not seem to be communications related, but any
> account in the add workstations group generates an "Access Denied" error.
I
> have also tried creating a test account not in the above group and using
> each of the 3 methods to delegate rights directly to that account with no
> luck either. Only the Domain Admins can add a workstation.
>
> When I manually go into the security settings for any of the domains, I
can
> see that the rights have properly inheirited down the tree using the
> Effective Permissions tab, so the users should have the appropriate rights
> to accomplish this task, yet for some reason they are not able to do it.
>
> Searching Google I came across an article detailing that in some cases a
bad
> sysprep image can cause this and that a solution is to apply the Setup
> Secuirty Local Security Policy Template on the workstation. I have tried
> this as well, and it worked a couple of times, but no longer seems to do
the
> trick.
>
> I've tried search Microsoft's support site and was unable to find anything
> helpful.
>
> If anyone has any suggestions for me, I'd greatly appreciate them!
>
> Thanks in advance,
>
> Darren Toews
>
>
- Next message: Andy Cadley: "Re: Domain User Right."
- Previous message: Marc Scheuner: "Re: Active Directory RSS feeds"
- In reply to: Darren Toews: "Unable to add workstation to domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
