Re: Joining Computers to Domain
From: David Everett [MSFT] (deverett_at_online.microsoft.com)
Date: 03/17/04
- Next message: anonymous_at_discussions.microsoft.com: "Re: Disabling Roamind Profiles for Remote Users"
- Previous message: David Everett [MSFT]: "Re: Remove My Documents from Windows Explorer"
- In reply to: Derek Melber [MVP]: "Re: Joining Computers to Domain"
- Next in thread: Alan Price: "Re: Joining Computers to Domain"
- Reply: Alan Price: "Re: Joining Computers to Domain"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 17 Mar 2004 12:37:48 -0600
When it fails to join the domain open the netsetup.log file under
%systemroot%\debug and locate the SamOpenUser error you mentioned earlier.
The next line down should point to what permission is lacking if it is a
permissions issue on the OU.
Are you adding "Student Admins" to the "Join computers to domain" on the
Default Domain Controller Policy or the Default domain Policy"?
-- David Everett Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "Derek Melber [MVP]" <derekm@braincore.net> wrote in message news:ub8wQr8CEHA.2804@tk2msftngp13.phx.gbl... > Alan, > > Create a new user and delegate them the permission at the domain level. > Then, see if this user can add a workstation to the domain. it will > immediately indicate if you have a DENY somewhere. > > -- > Derek Melber > BrainCore.Net > derekm@braincore.net > "Alan Price" <anonymous@discussions.microsoft.com> wrote in message > news:e74601c40bc6$49283b20$a501280a@phx.gbl... > > We gave that a try after receiving it form you. It didn't > > work. I agree, there shouldn't be any DENY permissions > > set. I am getting the "Access is Denied" error. We tried > > to apply the "Join computers to domain" setting to my > > account only instead of the OU. We've got > > Creating/Deleting/Modifying/Securing/Anything-ing computer > > objects set up, but it's not working. I'm thinking there > > is some permission that is blocking it. Any idea what? > > Below is a summary of how our AD is set up. > > > > We've got a number of groups, but for this, we only need > > to mention a few: > > Domain Admins > > Staff > > Students > > Student Admins > > Domain Users > > > > Our problem is with student admins. The Domain Admins can > > add computers to the domain. The domain admins are also > > members of staff and domain users. The student admins are > > members of the students group and domain users. Is it > > possible that something in the students group is blocking > > the student admins form joining computers to the domain? > > If you need extra details or whatever, let me know. > > > > >-----Original Message----- > > >Yeah, if you have established permissions lower in the AD > > structure. > > >Permissions inherit by default. However, I don't think > > anyone would have set > > >a DENY for this permission, but it could be. > > > > > >Let me make sure that I did the same thing that you are > > attempting: > > >1) I delegated to a new user the ability to Join a > > computer to the domain, > > >from the domain node in ADUC > > >2) I then went to a computer that was in a workgroup and > > logged on as the > > >local administrator. I then changed the configuration to > > be from a workgroup > > >to a domain, and was challenged with credentials. I put > > in the username and > > >password of the new user that I delegated the permission > > to. > > >3) I was then shown a dialog box indicating I was > > successful in my joining > > >of the domain. > > > > > >Is this what you are getting, except for step 3... where > > you get a notice > > >indicating you are not allowed to do this, and it then > > says Access is > > >Denied.? > > > > > >-- > > >Derek Melber > > >BrainCore.Net > > >derekm@braincore.net > > >"Alan Price" <anonymous@discussions.microsoft.com> wrote > > in message > > >news:dfb901c40b6e$02d29600$a301280a@phx.gbl... > > >> That idea still didn't work. Is there a permission that > > >> could be overriding the "Join computers to the domain" > > >> option? > > >> > > >> >-----Original Message----- > > >> >Alan, > > >> > > > >> >I am NOT getting to work what I have gotten to work in > > >> the past. However, I > > >> >am getting one thing to work that will be a solution > > for > > >> you. > > >> > > > >> >Instead of delegating at the OU, delegate at the domain > > >> level! There is a > > >> >"preset delegation task" for "Joining computer to the > > >> domain". This is the > > >> >exact same permission as at the OU, but the OU won't > > let > > >> me join, where this > > >> >will. > > >> > > > >> >Give that a try and let me know if that solves your > > >> problem. > > >> > > > >> >-- > > >> >Derek Melber > > >> >BrainCore.Net > > >> >derekm@braincore.net > > >> >"Alan Price" <anonymous@discussions.microsoft.com> > > wrote > > >> in message > > >> >news:abb001c40ad8$87d56760$a601280a@phx.gbl... > > >> >> We delegated compuer objects creation. It's a Custom > > >> task > > >> >> beaucse it didn't allow for a Common task and when we > > >> >> delegated that option, it used a wizard. Any ideas? > > >> >> Also, an afterthought on my personal user account, > > >> >> whenever I click a shortcut it ask's if I'm sure I > > want > > >> to > > >> >> open the file (it's a file download prompt like in > > IE). > > >> >> The "Show tis message everytime" box i greyed out and > > >> >> checked. How do I fix this? > > >> >> > > >> >> >-----Original Message----- > > >> >> >Alan, > > >> >> > > > >> >> >What delegation did you give the user account? > > >> >> > > > >> >> >-- > > >> >> >Derek Melber > > >> >> >BrainCore.Net > > >> >> >derekm@braincore.net > > >> >> >"Alan Price" <anonymous@discussions.microsoft.com> > > >> wrote > > >> >> in message > > >> >> >news:dd0601c40ad1$bbb37740$a101280a@phx.gbl... > > >> >> >> I gave the idea below a try, but it didn't work. > > >> Does > > >> >> >> anybody else (or Derek) have any ideas? If you > > need > > >> >> >> specifics, let me know. > > >> >> >> > > >> >> >> >-----Original Message----- > > >> >> >> >Alan, > > >> >> >> > > > >> >> >> >I assume you mean that you have given the group > > >> >> the "Add > > >> >> >> workstations to > > >> >> >> >domain" user right? Well, this is not necessary > > in > > >> AD. > > >> >> >> You can get by with > > >> >> >> >just delegating permissions to create computer > > >> objects > > >> >> in > > >> >> >> the OU where the > > >> >> >> >admin needs to join the computer to the domain. > > So, > > >> >> this > > >> >> >> gives you more > > >> >> >> >granularity and ultimate control. > > >> >> >> > > > >> >> >> >Does this make sense? > > >> >> >> > > > >> >> >> >-- > > >> >> >> >Derek Melber > > >> >> >> >BrainCore.Net > > >> >> >> >derekm@braincore.net > > >> >> >> >"Alan Price" <anonymous@somedomain.tld> wrote in > > >> >> message > > >> >> >> >news:b37501c40794$1dfb28d0$a401280a@phx.gbl... > > >> >> >> >> We have several groups with specific rights set > > >> up on > > >> >> >> our > > >> >> >> >> server. We want to give a group of > > administrators > > >> >> the > > >> >> >> >> right to join workstations to the domain. We > > have > > >> >> >> enabled > > >> >> >> >> this right in Group Policy, but it is not > > working. > > >> >> The > > >> >> >> >> group members cannot join the computers to the > > >> >> domain. > > >> >> >> >> For user reasons, the admins are also in a > > >> different > > >> >> >> group > > >> >> >> >> with more restrictions. Could a restriction in > > >> this > > >> >> >> group > > >> >> >> >> be cancelling out the right to join > > computers? If > > >> >> so or > > >> >> >> >> possible, where would it be? We have tried > > moving > > >> >> the > > >> >> >> >> admin group up in the hierarchy of rights > > >> management, > > >> >> >> but > > >> >> >> >> that didn't help. Any ideas? If you need any > > >> >> >> specifics, > > >> >> >> >> let me know. > > >> >> >> > > > >> >> >> > > > >> >> >> >. > > >> >> >> > > > >> >> > > > >> >> > > > >> >> >. > > >> >> > > > >> > > > >> > > > >> >. > > >> > > > > > > > > > >. > > > > >
- Next message: anonymous_at_discussions.microsoft.com: "Re: Disabling Roamind Profiles for Remote Users"
- Previous message: David Everett [MSFT]: "Re: Remove My Documents from Windows Explorer"
- In reply to: Derek Melber [MVP]: "Re: Joining Computers to Domain"
- Next in thread: Alan Price: "Re: Joining Computers to Domain"
- Reply: Alan Price: "Re: Joining Computers to Domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
