Re: Joining Computers to Domain
From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 03/16/04
- Next message: Sanjay Tibrewal: "Re: Running an executable when machine boots up - newbie question"
- Previous message: David Everett [MSFT]: "Re: Remove My Documents from Windows Explorer"
- In reply to: Alan Price: "Re: Joining Computers to Domain"
- Next in thread: David Everett [MSFT]: "Re: Joining Computers to Domain"
- Reply: David Everett [MSFT]: "Re: Joining Computers to Domain"
- Reply: Alan Price: "Re: Joining Computers to Domain"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 16 Mar 2004 09:44:21 -0700
Yeah, if you have established permissions lower in the AD structure.
Permissions inherit by default. However, I don't think anyone would have set
a DENY for this permission, but it could be.
Let me make sure that I did the same thing that you are attempting:
1) I delegated to a new user the ability to Join a computer to the domain,
from the domain node in ADUC
2) I then went to a computer that was in a workgroup and logged on as the
local administrator. I then changed the configuration to be from a workgroup
to a domain, and was challenged with credentials. I put in the username and
password of the new user that I delegated the permission to.
3) I was then shown a dialog box indicating I was successful in my joining
of the domain.
Is this what you are getting, except for step 3... where you get a notice
indicating you are not allowed to do this, and it then says Access is
Denied.?
-- Derek Melber BrainCore.Net derekm@braincore.net "Alan Price" <anonymous@discussions.microsoft.com> wrote in message news:dfb901c40b6e$02d29600$a301280a@phx.gbl... > That idea still didn't work. Is there a permission that > could be overriding the "Join computers to the domain" > option? > > >-----Original Message----- > >Alan, > > > >I am NOT getting to work what I have gotten to work in > the past. However, I > >am getting one thing to work that will be a solution for > you. > > > >Instead of delegating at the OU, delegate at the domain > level! There is a > >"preset delegation task" for "Joining computer to the > domain". This is the > >exact same permission as at the OU, but the OU won't let > me join, where this > >will. > > > >Give that a try and let me know if that solves your > problem. > > > >-- > >Derek Melber > >BrainCore.Net > >derekm@braincore.net > >"Alan Price" <anonymous@discussions.microsoft.com> wrote > in message > >news:abb001c40ad8$87d56760$a601280a@phx.gbl... > >> We delegated compuer objects creation. It's a Custom > task > >> beaucse it didn't allow for a Common task and when we > >> delegated that option, it used a wizard. Any ideas? > >> Also, an afterthought on my personal user account, > >> whenever I click a shortcut it ask's if I'm sure I want > to > >> open the file (it's a file download prompt like in IE). > >> The "Show tis message everytime" box i greyed out and > >> checked. How do I fix this? > >> > >> >-----Original Message----- > >> >Alan, > >> > > >> >What delegation did you give the user account? > >> > > >> >-- > >> >Derek Melber > >> >BrainCore.Net > >> >derekm@braincore.net > >> >"Alan Price" <anonymous@discussions.microsoft.com> > wrote > >> in message > >> >news:dd0601c40ad1$bbb37740$a101280a@phx.gbl... > >> >> I gave the idea below a try, but it didn't work. > Does > >> >> anybody else (or Derek) have any ideas? If you need > >> >> specifics, let me know. > >> >> > >> >> >-----Original Message----- > >> >> >Alan, > >> >> > > >> >> >I assume you mean that you have given the group > >> the "Add > >> >> workstations to > >> >> >domain" user right? Well, this is not necessary in > AD. > >> >> You can get by with > >> >> >just delegating permissions to create computer > objects > >> in > >> >> the OU where the > >> >> >admin needs to join the computer to the domain. So, > >> this > >> >> gives you more > >> >> >granularity and ultimate control. > >> >> > > >> >> >Does this make sense? > >> >> > > >> >> >-- > >> >> >Derek Melber > >> >> >BrainCore.Net > >> >> >derekm@braincore.net > >> >> >"Alan Price" <anonymous@somedomain.tld> wrote in > >> message > >> >> >news:b37501c40794$1dfb28d0$a401280a@phx.gbl... > >> >> >> We have several groups with specific rights set > up on > >> >> our > >> >> >> server. We want to give a group of administrators > >> the > >> >> >> right to join workstations to the domain. We have > >> >> enabled > >> >> >> this right in Group Policy, but it is not working. > >> The > >> >> >> group members cannot join the computers to the > >> domain. > >> >> >> For user reasons, the admins are also in a > different > >> >> group > >> >> >> with more restrictions. Could a restriction in > this > >> >> group > >> >> >> be cancelling out the right to join computers? If > >> so or > >> >> >> possible, where would it be? We have tried moving > >> the > >> >> >> admin group up in the hierarchy of rights > management, > >> >> but > >> >> >> that didn't help. Any ideas? If you need any > >> >> specifics, > >> >> >> let me know. > >> >> > > >> >> > > >> >> >. > >> >> > > >> > > >> > > >> >. > >> > > > > > > >. > >
- Next message: Sanjay Tibrewal: "Re: Running an executable when machine boots up - newbie question"
- Previous message: David Everett [MSFT]: "Re: Remove My Documents from Windows Explorer"
- In reply to: Alan Price: "Re: Joining Computers to Domain"
- Next in thread: David Everett [MSFT]: "Re: Joining Computers to Domain"
- Reply: David Everett [MSFT]: "Re: Joining Computers to Domain"
- Reply: Alan Price: "Re: Joining Computers to Domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
