Re: Joining Computers to Domain

From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 03/18/04

Next message: anonymous_at_discussions.microsoft.com: "Re: Gpo help"
Previous message: Derek Melber [MVP]: "Re: Gpo help"
In reply to: Alan Price: "Re: Joining Computers to Domain"
Messages sorted by: [ date ] [ thread ]

Date: Thu, 18 Mar 2004 08:31:19 -0700

That is tougher:-).

However, one way might be to get dsacls.exe or acldiag.exe and look at the
report for DENYs.

-- 
Derek Melber
BrainCore.Net
derekm@braincore.net
"Alan Price" <anonymous@discussions.microsoft.com> wrote in message
news:f3a301c40cb5$cb570c30$a301280a@phx.gbl...
> Derek,
> We've checked it out and there's got to be a DENY
> somewhere because it still doesn't work.  We think it may
> be in defualt domain policy becuase when we blocked that
> on the test user, it worked.  Any ideas where to find it?
>
> >-----Original Message-----
> >Alan,
> >
> >Create a new user and delegate them the permission at the
> domain level.
> >Then, see if this user can add a workstation to the
> domain. it will
> >immediately indicate if you have a DENY somewhere.
> >
> >-- 
> >Derek Melber
> >BrainCore.Net
> >derekm@braincore.net
> >"Alan Price" <anonymous@discussions.microsoft.com> wrote
> in message
> >news:e74601c40bc6$49283b20$a501280a@phx.gbl...
> >> We gave that a try after receiving it form you.  It
> didn't
> >> work.  I agree, there shouldn't be any DENY permissions
> >> set.  I am getting the "Access is Denied" error.  We
> tried
> >> to apply the "Join computers to domain" setting to my
> >> account only instead of the OU.  We've got
> >> Creating/Deleting/Modifying/Securing/Anything-ing
> computer
> >> objects set up, but it's not working.  I'm thinking
> there
> >> is some permission that is blocking it.  Any idea what?
> >> Below is a summary of how our AD is set up.
> >>
> >> We've got a number of groups, but for this, we only need
> >> to mention a few:
> >> Domain Admins
> >> Staff
> >> Students
> >> Student Admins
> >> Domain Users
> >>
> >> Our problem is with student admins.  The Domain Admins
> can
> >> add computers to the domain.  The domain admins are also
> >> members of staff and domain users.  The student admins
> are
> >> members of the students group and domain users.  Is it
> >> possible that something in the students group is
> blocking
> >> the student admins form joining computers to the domain?
> >> If you need extra details or whatever, let me know.
> >>
> >> >-----Original Message-----
> >> >Yeah, if you have established permissions lower in the
> AD
> >> structure.
> >> >Permissions inherit by default. However, I don't think
> >> anyone would have set
> >> >a DENY for this permission, but it could be.
> >> >
> >> >Let me make sure that I did the same thing that you are
> >> attempting:
> >> >1) I delegated to a new user the ability to Join a
> >> computer to the domain,
> >> >from the domain node in ADUC
> >> >2) I then went to a computer that was in a workgroup
> and
> >> logged on as the
> >> >local administrator. I then changed the configuration
> to
> >> be from a workgroup
> >> >to a domain, and was challenged with credentials. I put
> >> in the username and
> >> >password of the new user that I delegated the
> permission
> >> to.
> >> >3) I was then shown a dialog box indicating I was
> >> successful in my joining
> >> >of the domain.
> >> >
> >> >Is this what you are getting, except for step 3...
> where
> >> you get a notice
> >> >indicating you are not allowed to do this, and it then
> >> says Access is
> >> >Denied.?
> >> >
> >> >-- 
> >> >Derek Melber
> >> >BrainCore.Net
> >> >derekm@braincore.net
> >> >"Alan Price" <anonymous@discussions.microsoft.com>
> wrote
> >> in message
> >> >news:dfb901c40b6e$02d29600$a301280a@phx.gbl...
> >> >> That idea still didn't work.  Is there a permission
> that
> >> >> could be overriding the "Join computers to the
> domain"
> >> >> option?
> >> >>
> >> >> >-----Original Message-----
> >> >> >Alan,
> >> >> >
> >> >> >I am NOT getting to work what I have gotten to work
> in
> >> >> the past. However, I
> >> >> >am getting one thing to work that will be a solution
> >> for
> >> >> you.
> >> >> >
> >> >> >Instead of delegating at the OU, delegate at the
> domain
> >> >> level! There is a
> >> >> >"preset delegation task" for "Joining computer to
> the
> >> >> domain". This is the
> >> >> >exact same permission as at the OU, but the OU won't
> >> let
> >> >> me join, where this
> >> >> >will.
> >> >> >
> >> >> >Give that a try and let me know if that solves your
> >> >> problem.
> >> >> >
> >> >> >-- 
> >> >> >Derek Melber
> >> >> >BrainCore.Net
> >> >> >derekm@braincore.net
> >> >> >"Alan Price" <anonymous@discussions.microsoft.com>
> >> wrote
> >> >> in message
> >> >> >news:abb001c40ad8$87d56760$a601280a@phx.gbl...
> >> >> >> We delegated compuer objects creation.  It's a
> Custom
> >> >> task
> >> >> >> beaucse it didn't allow for a Common task and
> when we
> >> >> >> delegated that option, it used a wizard.  Any
> ideas?
> >> >> >> Also, an afterthought on my personal user account,
> >> >> >> whenever I click a shortcut it ask's if I'm sure I
> >> want
> >> >> to
> >> >> >> open the file (it's a file download prompt like in
> >> IE).
> >> >> >> The "Show tis message everytime" box i greyed out
> and
> >> >> >> checked.  How do I fix this?
> >> >> >>
> >> >> >> >-----Original Message-----
> >> >> >> >Alan,
> >> >> >> >
> >> >> >> >What delegation did you give the user account?
> >> >> >> >
> >> >> >> >-- 
> >> >> >> >Derek Melber
> >> >> >> >BrainCore.Net
> >> >> >> >derekm@braincore.net
> >> >> >> >"Alan Price"
> <anonymous@discussions.microsoft.com>
> >> >> wrote
> >> >> >> in message
> >> >> >> >news:dd0601c40ad1$bbb37740$a101280a@phx.gbl...
> >> >> >> >> I gave the idea below a try, but it didn't
> work.
> >> >> Does
> >> >> >> >> anybody else (or Derek) have any ideas?  If you
> >> need
> >> >> >> >> specifics, let me know.
> >> >> >> >>
> >> >> >> >> >-----Original Message-----
> >> >> >> >> >Alan,
> >> >> >> >> >
> >> >> >> >> >I assume you mean that you have given the
> group
> >> >> >> the "Add
> >> >> >> >> workstations to
> >> >> >> >> >domain" user right? Well, this is not
> necessary
> >> in
> >> >> AD.
> >> >> >> >> You can get by with
> >> >> >> >> >just delegating permissions to create computer
> >> >> objects
> >> >> >> in
> >> >> >> >> the OU where the
> >> >> >> >> >admin needs to join the computer to the
> domain.
> >> So,
> >> >> >> this
> >> >> >> >> gives you more
> >> >> >> >> >granularity and ultimate control.
> >> >> >> >> >
> >> >> >> >> >Does this make sense?
> >> >> >> >> >
> >> >> >> >> >-- 
> >> >> >> >> >Derek Melber
> >> >> >> >> >BrainCore.Net
> >> >> >> >> >derekm@braincore.net
> >> >> >> >> >"Alan Price" <anonymous@somedomain.tld> wrote
> in
> >> >> >> message
> >> >> >> >> >news:b37501c40794$1dfb28d0$a401280a@phx.gbl...
> >> >> >> >> >> We have several groups with specific rights
> set
> >> >> up on
> >> >> >> >> our
> >> >> >> >> >> server.  We want to give a group of
> >> administrators
> >> >> >> the
> >> >> >> >> >> right to join workstations to the domain.
> We
> >> have
> >> >> >> >> enabled
> >> >> >> >> >> this right in Group Policy, but it is not
> >> working.
> >> >> >> The
> >> >> >> >> >> group members cannot join the computers to
> the
> >> >> >> domain.
> >> >> >> >> >> For user reasons, the admins are also in a
> >> >> different
> >> >> >> >> group
> >> >> >> >> >> with more restrictions.  Could a
> restriction in
> >> >> this
> >> >> >> >> group
> >> >> >> >> >> be cancelling out the right to join
> >> computers?  If
> >> >> >> so or
> >> >> >> >> >> possible, where would it be?  We have tried
> >> moving
> >> >> >> the
> >> >> >> >> >> admin group up in the hierarchy of rights
> >> >> management,
> >> >> >> >> but
> >> >> >> >> >> that didn't help.  Any ideas?  If you need
> any
> >> >> >> >> specifics,
> >> >> >> >> >> let me know.
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >.
> >> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >.
> >> >> >> >
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

Next message: anonymous_at_discussions.microsoft.com: "Re: Gpo help"
Previous message: Derek Melber [MVP]: "Re: Gpo help"
In reply to: Alan Price: "Re: Joining Computers to Domain"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Joining Computers to Domain
... %systemroot%\debug and locate the SamOpenUser error you mentioned earlier. ... > Create a new user and delegate them the permission at the domain level. ... >> Our problem is with student admins. ... >> add computers to the domain. ...
(microsoft.public.windows.group_policy)
Re: Joining Computers to Domain
... We've checked it out and there's got to be a DENY ... >> Our problem is with student admins. ... >> add computers to the domain. ... >> members of staff and domain users. ...
(microsoft.public.windows.group_policy)
Re: Joining Computers to Domain
... Our problem is with student admins. ... add computers to the domain. ... members of staff and domain users. ... >a DENY for this permission, ...
(microsoft.public.windows.group_policy)
Re: Joining Computers to Domain
... Create a new user and delegate them the permission at the domain level. ... > Our problem is with student admins. ... > add computers to the domain. ...
(microsoft.public.windows.group_policy)
Re: Unable to prevent OU deletion by Domain Admins?
... > that DENY ACLs trump any allow ACLs ... Deny permissions take precedence over allow ... the list of permission entries in the DACL. ... I understand that domain admins have the delete and delete subtree rights at the domain level. ...
(microsoft.public.win2000.active_directory)