Re: User disjoin workstation from domain, attempt to rejoin and get "account already exists"

From: Diane McCorkle (diane.mccorkle)
Date: 11/11/04


Date: Thu, 11 Nov 2004 13:38:14 -0500

Just a thought...

We handle it in a smilar way, our branches can add/remove anything under
their OU's, so the designated person can remove the computer from the
Branchname\Computers folder, or rename it.

But when they add a computer into the domain, it puts that account in the
default Computers OU, and they do NOT have the rights to that, I still
haven't come up with a safe workaround for this.

my 2 bytes..

Diane

"Oli Restorick [MVP]" <oli@mvps.org> wrote in message
news:ORGxn53xEHA.2572@tk2msftngp13.phx.gbl...
Right. That should work, so I'm also having difficulty working out what's
going on. I wonder if the deletion has not replicated to all domain
controllers before the join takes place and a different domain controller is
being used for the domain join. Just a thought.

If I have any more thoughts, I'll let you know.

Oli

"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:uF0dKr3xEHA.2996@TK2MSFTNGP10.phx.gbl...
>I created a JoinWorkstations group and configured the permissions in
> 'security' tab, on the respective "computer" container OU. I just make the
> domain user a member of that joinworkstations group and here we go.
>
> I will copy this tech account and try to reproduce the problem to see
> what's
> going.
>
>
> "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
> news:eVomeo3xEHA.392@TK2MSFTNGP12.phx.gbl...
>> When you say "using a different name", do you mean a different computer
> name
>> or a different user name?
>>
>> So, can you confirm that you're either using a domain admin account (bad
>> idea), or you've already delegated the right to create and delete
>> computer
>> accounts. If not, how did you give the user the right to join an
> unlimited
>> number of machines?
>>
>> Oli
>>
>>
>> "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
>> news:ubYnJl3xEHA.1264@TK2MSFTNGP12.phx.gbl...
>> > In this case the user does have the appropriate rights to join
>> > unlimited
>> > number of machines; that's why I mentioned that 'the user is able to
> join
>> > the machine account' using a different name. Upon disjoining, the user
> got
>> > no message saying that machine account could not be deleted either.
>> >
>> > "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
>> > news:%234ZsOe3xEHA.2600@TK2MSFTNGP09.phx.gbl...
>> >> When the user disjoined the machine from the domain, she would have
>> >> got
>> >> an
>> >> warning message saying that the machine account could not be deleted.
>> > This
>> >> is because she doesn't have permission to delete computer objects from
>> >> the
>> >> appropriate container.
>> >>
>> >> When she tries to rejoin, there's already a machine account in Active
>> >> Directory with the computer's name.
>> >>
>> >> You're probably also finding that regular users by default have the
>> > ability
>> >> to add up to 10 machines to a domain. If you need these users to be
> able
>> > to
>> >> add and remove machine accounts freely from workstations, use the
>> > delegation
>> >> of control wizard to delegate the creation and deletion of machine
>> > accounts
>> >> on the "computers" container. I recommend that you create a group and
>> >> delegate permissions to the group rather than delegating to users
>> > directly.
>> >>
>> >> Hope this helps
>> >>
>> >> Oli
>> >>
>> >> "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
>> >> news:Oh97rP3xEHA.2600@TK2MSFTNGP09.phx.gbl...
>> >> >I have here this User1tech here that complains that when she disjoins
> a
>> >> > workstation from the domain, goes there a day or two later and
> attempt
>> > to
>> >> > rejoin SameComputerName to the domain, a message "account already
>> > exists"
>> >> > is
>> >> > displayed and joining operation is unsucessful.
>> >> >
>> >> > Then if User1tech tries to add the computer account using a
>> >> > different
>> >> > name,
>> >> > the joining operation works accordingly, what tells me permissions
> wise
>> >> > that
>> >> > should be fine.
>> >> >
>> >> > What's wrong ?
>> >> > Win2000ADSP4
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>



Relevant Pages

  • Re: User disjoin workstation from domain, attempt to rejoin and get "account already exists&qu
    ... controllers before the join takes place and a different domain controller is ... Oli ... > domain user a member of that joinworkstations group and here we go. ... can you confirm that you're either using a domain admin account (bad ...
    (microsoft.public.win2000.active_directory)
  • Re: User disjoin workstation from domain, attempt to rejoin and get "account already exists&qu
    ... account ahead of time using dsa.msc. ... Oli ... > controllers before the join takes place and a different domain controller ... >> domain user a member of that joinworkstations group and here we go. ...
    (microsoft.public.win2000.active_directory)
  • Re: Security Breach in AD! Help!
    ... > about 5 minutes the user was removed from the built in admin group. ... > changed the default domain policy, the default domain controller policy, ... >> auditing of account logon for success and failure and account management ... >> success and failure in Domain Controller Security Policy. ...
    (microsoft.public.win2000.security)
  • Re: disable users while user is logged into the domain
    ... That article i read more and more before, but it does not state anything about "disabling" an account. ... Assigning an account lockout, which a domain controller performs to ... Changing the password on a domain controller computer account. ... The PDC emulator receives urgent replication of account lockouts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: disable users while user is logged into the domain
    ... Please check the following link for more information concerning urgent replication. ... How the Active Directory Replication Model Works: ... Assigning an account lockout, which a domain controller performs to prohibit a user from logging on after a certain number of failed attempts. ...
    (microsoft.public.windows.server.active_directory)