Re: Joining Computers to Domain
From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 03/17/04
- Previous message: Alan Price: "Re: Joining Computers to Domain"
- In reply to: Alan Price: "Re: Joining Computers to Domain"
- Next in thread: David Everett [MSFT]: "Re: Joining Computers to Domain"
- Reply: David Everett [MSFT]: "Re: Joining Computers to Domain"
- Reply: Alan Price: "Re: Joining Computers to Domain"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 16 Mar 2004 19:49:32 -0700
Alan,
Create a new user and delegate them the permission at the domain level.
Then, see if this user can add a workstation to the domain. it will
immediately indicate if you have a DENY somewhere.
-- Derek Melber BrainCore.Net derekm@braincore.net "Alan Price" <anonymous@discussions.microsoft.com> wrote in message news:e74601c40bc6$49283b20$a501280a@phx.gbl... > We gave that a try after receiving it form you. It didn't > work. I agree, there shouldn't be any DENY permissions > set. I am getting the "Access is Denied" error. We tried > to apply the "Join computers to domain" setting to my > account only instead of the OU. We've got > Creating/Deleting/Modifying/Securing/Anything-ing computer > objects set up, but it's not working. I'm thinking there > is some permission that is blocking it. Any idea what? > Below is a summary of how our AD is set up. > > We've got a number of groups, but for this, we only need > to mention a few: > Domain Admins > Staff > Students > Student Admins > Domain Users > > Our problem is with student admins. The Domain Admins can > add computers to the domain. The domain admins are also > members of staff and domain users. The student admins are > members of the students group and domain users. Is it > possible that something in the students group is blocking > the student admins form joining computers to the domain? > If you need extra details or whatever, let me know. > > >-----Original Message----- > >Yeah, if you have established permissions lower in the AD > structure. > >Permissions inherit by default. However, I don't think > anyone would have set > >a DENY for this permission, but it could be. > > > >Let me make sure that I did the same thing that you are > attempting: > >1) I delegated to a new user the ability to Join a > computer to the domain, > >from the domain node in ADUC > >2) I then went to a computer that was in a workgroup and > logged on as the > >local administrator. I then changed the configuration to > be from a workgroup > >to a domain, and was challenged with credentials. I put > in the username and > >password of the new user that I delegated the permission > to. > >3) I was then shown a dialog box indicating I was > successful in my joining > >of the domain. > > > >Is this what you are getting, except for step 3... where > you get a notice > >indicating you are not allowed to do this, and it then > says Access is > >Denied.? > > > >-- > >Derek Melber > >BrainCore.Net > >derekm@braincore.net > >"Alan Price" <anonymous@discussions.microsoft.com> wrote > in message > >news:dfb901c40b6e$02d29600$a301280a@phx.gbl... > >> That idea still didn't work. Is there a permission that > >> could be overriding the "Join computers to the domain" > >> option? > >> > >> >-----Original Message----- > >> >Alan, > >> > > >> >I am NOT getting to work what I have gotten to work in > >> the past. However, I > >> >am getting one thing to work that will be a solution > for > >> you. > >> > > >> >Instead of delegating at the OU, delegate at the domain > >> level! There is a > >> >"preset delegation task" for "Joining computer to the > >> domain". This is the > >> >exact same permission as at the OU, but the OU won't > let > >> me join, where this > >> >will. > >> > > >> >Give that a try and let me know if that solves your > >> problem. > >> > > >> >-- > >> >Derek Melber > >> >BrainCore.Net > >> >derekm@braincore.net > >> >"Alan Price" <anonymous@discussions.microsoft.com> > wrote > >> in message > >> >news:abb001c40ad8$87d56760$a601280a@phx.gbl... > >> >> We delegated compuer objects creation. It's a Custom > >> task > >> >> beaucse it didn't allow for a Common task and when we > >> >> delegated that option, it used a wizard. Any ideas? > >> >> Also, an afterthought on my personal user account, > >> >> whenever I click a shortcut it ask's if I'm sure I > want > >> to > >> >> open the file (it's a file download prompt like in > IE). > >> >> The "Show tis message everytime" box i greyed out and > >> >> checked. How do I fix this? > >> >> > >> >> >-----Original Message----- > >> >> >Alan, > >> >> > > >> >> >What delegation did you give the user account? > >> >> > > >> >> >-- > >> >> >Derek Melber > >> >> >BrainCore.Net > >> >> >derekm@braincore.net > >> >> >"Alan Price" <anonymous@discussions.microsoft.com> > >> wrote > >> >> in message > >> >> >news:dd0601c40ad1$bbb37740$a101280a@phx.gbl... > >> >> >> I gave the idea below a try, but it didn't work. > >> Does > >> >> >> anybody else (or Derek) have any ideas? If you > need > >> >> >> specifics, let me know. > >> >> >> > >> >> >> >-----Original Message----- > >> >> >> >Alan, > >> >> >> > > >> >> >> >I assume you mean that you have given the group > >> >> the "Add > >> >> >> workstations to > >> >> >> >domain" user right? Well, this is not necessary > in > >> AD. > >> >> >> You can get by with > >> >> >> >just delegating permissions to create computer > >> objects > >> >> in > >> >> >> the OU where the > >> >> >> >admin needs to join the computer to the domain. > So, > >> >> this > >> >> >> gives you more > >> >> >> >granularity and ultimate control. > >> >> >> > > >> >> >> >Does this make sense? > >> >> >> > > >> >> >> >-- > >> >> >> >Derek Melber > >> >> >> >BrainCore.Net > >> >> >> >derekm@braincore.net > >> >> >> >"Alan Price" <anonymous@somedomain.tld> wrote in > >> >> message > >> >> >> >news:b37501c40794$1dfb28d0$a401280a@phx.gbl... > >> >> >> >> We have several groups with specific rights set > >> up on > >> >> >> our > >> >> >> >> server. We want to give a group of > administrators > >> >> the > >> >> >> >> right to join workstations to the domain. We > have > >> >> >> enabled > >> >> >> >> this right in Group Policy, but it is not > working. > >> >> The > >> >> >> >> group members cannot join the computers to the > >> >> domain. > >> >> >> >> For user reasons, the admins are also in a > >> different > >> >> >> group > >> >> >> >> with more restrictions. Could a restriction in > >> this > >> >> >> group > >> >> >> >> be cancelling out the right to join > computers? If > >> >> so or > >> >> >> >> possible, where would it be? We have tried > moving > >> >> the > >> >> >> >> admin group up in the hierarchy of rights > >> management, > >> >> >> but > >> >> >> >> that didn't help. Any ideas? If you need any > >> >> >> specifics, > >> >> >> >> let me know. > >> >> >> > > >> >> >> > > >> >> >> >. > >> >> >> > > >> >> > > >> >> > > >> >> >. > >> >> > > >> > > >> > > >> >. > >> > > > > > > >. > >
- Previous message: Alan Price: "Re: Joining Computers to Domain"
- In reply to: Alan Price: "Re: Joining Computers to Domain"
- Next in thread: David Everett [MSFT]: "Re: Joining Computers to Domain"
- Reply: David Everett [MSFT]: "Re: Joining Computers to Domain"
- Reply: Alan Price: "Re: Joining Computers to Domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
