Re: Joining Computers to Domain

From: Alan Price (anonymous_at_discussions.microsoft.com)
Date: 03/17/04 

Date: Tue, 16 Mar 2004 18:19:33 -0800

We gave that a try after receiving it form you. It didn't
work. I agree, there shouldn't be any DENY permissions
set. I am getting the "Access is Denied" error. We tried
to apply the "Join computers to domain" setting to my
account only instead of the OU. We've got
Creating/Deleting/Modifying/Securing/Anything-ing computer
objects set up, but it's not working. I'm thinking there
is some permission that is blocking it. Any idea what?
Below is a summary of how our AD is set up.

We've got a number of groups, but for this, we only need
to mention a few:
Domain Admins
Staff
Students
Student Admins
Domain Users

Our problem is with student admins. The Domain Admins can
add computers to the domain. The domain admins are also
members of staff and domain users. The student admins are
members of the students group and domain users. Is it
possible that something in the students group is blocking
the student admins form joining computers to the domain?
If you need extra details or whatever, let me know.

>-----Original Message-----
>Yeah, if you have established permissions lower in the AD
structure.
>Permissions inherit by default. However, I don't think
anyone would have set
>a DENY for this permission, but it could be.
>
>Let me make sure that I did the same thing that you are
attempting:
>1) I delegated to a new user the ability to Join a
computer to the domain,
>from the domain node in ADUC
>2) I then went to a computer that was in a workgroup and
logged on as the
>local administrator. I then changed the configuration to
be from a workgroup
>to a domain, and was challenged with credentials. I put
in the username and
>password of the new user that I delegated the permission
to.
>3) I was then shown a dialog box indicating I was
successful in my joining
>of the domain.
>
>Is this what you are getting, except for step 3... where
you get a notice
>indicating you are not allowed to do this, and it then
says Access is
>Denied.?
>
>--
>Derek Melber
>BrainCore.Net
>derekm@braincore.net
>"Alan Price" <anonymous@discussions.microsoft.com> wrote
in message
>news:dfb901c40b6e$02d29600$a301280a@phx.gbl...
>> That idea still didn't work. Is there a permission that
>> could be overriding the "Join computers to the domain"
>> option?
>>
>> >-----Original Message-----
>> >Alan,
>> >
>> >I am NOT getting to work what I have gotten to work in
>> the past. However, I
>> >am getting one thing to work that will be a solution
for
>> you.
>> >
>> >Instead of delegating at the OU, delegate at the domain
>> level! There is a
>> >"preset delegation task" for "Joining computer to the
>> domain". This is the
>> >exact same permission as at the OU, but the OU won't
let
>> me join, where this
>> >will.
>> >
>> >Give that a try and let me know if that solves your
>> problem.
>> >
>> >--
>> >Derek Melber
>> >BrainCore.Net
>> >derekm@braincore.net
>> >"Alan Price" <anonymous@discussions.microsoft.com>
wrote
>> in message
>> >news:abb001c40ad8$87d56760$a601280a@phx.gbl...
>> >> We delegated compuer objects creation. It's a Custom
>> task
>> >> beaucse it didn't allow for a Common task and when we
>> >> delegated that option, it used a wizard. Any ideas?
>> >> Also, an afterthought on my personal user account,
>> >> whenever I click a shortcut it ask's if I'm sure I
want
>> to
>> >> open the file (it's a file download prompt like in
IE).
>> >> The "Show tis message everytime" box i greyed out and
>> >> checked. How do I fix this?
>> >>
>> >> >-----Original Message-----
>> >> >Alan,
>> >> >
>> >> >What delegation did you give the user account?
>> >> >
>> >> >--
>> >> >Derek Melber
>> >> >BrainCore.Net
>> >> >derekm@braincore.net
>> >> >"Alan Price" <anonymous@discussions.microsoft.com>
>> wrote
>> >> in message
>> >> >news:dd0601c40ad1$bbb37740$a101280a@phx.gbl...
>> >> >> I gave the idea below a try, but it didn't work.
>> Does
>> >> >> anybody else (or Derek) have any ideas? If you
need
>> >> >> specifics, let me know.
>> >> >>
>> >> >> >-----Original Message-----
>> >> >> >Alan,
>> >> >> >
>> >> >> >I assume you mean that you have given the group
>> >> the "Add
>> >> >> workstations to
>> >> >> >domain" user right? Well, this is not necessary
in
>> AD.
>> >> >> You can get by with
>> >> >> >just delegating permissions to create computer
>> objects
>> >> in
>> >> >> the OU where the
>> >> >> >admin needs to join the computer to the domain.
So,
>> >> this
>> >> >> gives you more
>> >> >> >granularity and ultimate control.
>> >> >> >
>> >> >> >Does this make sense?
>> >> >> >
>> >> >> >--
>> >> >> >Derek Melber
>> >> >> >BrainCore.Net
>> >> >> >derekm@braincore.net
>> >> >> >"Alan Price" <anonymous@somedomain.tld> wrote in
>> >> message
>> >> >> >news:b37501c40794$1dfb28d0$a401280a@phx.gbl...
>> >> >> >> We have several groups with specific rights set
>> up on
>> >> >> our
>> >> >> >> server. We want to give a group of
administrators
>> >> the
>> >> >> >> right to join workstations to the domain. We
have
>> >> >> enabled
>> >> >> >> this right in Group Policy, but it is not
working.
>> >> The
>> >> >> >> group members cannot join the computers to the
>> >> domain.
>> >> >> >> For user reasons, the admins are also in a
>> different
>> >> >> group
>> >> >> >> with more restrictions. Could a restriction in
>> this
>> >> >> group
>> >> >> >> be cancelling out the right to join
computers? If
>> >> so or
>> >> >> >> possible, where would it be? We have tried
moving
>> >> the
>> >> >> >> admin group up in the hierarchy of rights
>> management,
>> >> >> but
>> >> >> >> that didn't help. Any ideas? If you need any
>> >> >> specifics,
>> >> >> >> let me know.
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: Joining Computers to Domain
    ... >>immediately indicate if you have a DENY somewhere. ... >>> is some permission that is blocking it. ... >>> Our problem is with student admins. ... >>> add computers to the domain. ...
    (microsoft.public.windows.group_policy)
  • Re: Joining Computers to Domain
    ... We've checked it out and there's got to be a DENY ... >> Our problem is with student admins. ... >> add computers to the domain. ... >> members of staff and domain users. ...
    (microsoft.public.windows.group_policy)
  • Re: Joining Computers to Domain
    ... %systemroot%\debug and locate the SamOpenUser error you mentioned earlier. ... > Create a new user and delegate them the permission at the domain level. ... >> Our problem is with student admins. ... >> add computers to the domain. ...
    (microsoft.public.windows.group_policy)
  • Re: Joining Computers to Domain
    ... Create a new user and delegate them the permission at the domain level. ... > Our problem is with student admins. ... > add computers to the domain. ...
    (microsoft.public.windows.group_policy)
  • Re: Change permission remotely
    ... local administrators rights on the computers you wish to affect. ... WMI.GetStringValue HKLM, i, "ProductType", ProductType ... Sub CreateIE() ... > change permission on temp folder. ...
    (microsoft.public.scripting.vbscript)
Loading