RE: "Access Denied" when adding workstation to domain
From: Rashmi.K.Y [MSFT] (v-raky_at_online.microsoft.com)
Date: 08/16/04
- Next message: Jim Smith: "GPO Security Filtering"
- Previous message: pieco26_at_hotmail.com: "Run Command and Network Neighborhood is missing"
- In reply to: Wayne Lacy: ""Access Denied" when adding workstation to domain"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 16 Aug 2004 22:35:45 GMT
Hello,
Thank you for posting.
I understand that you want to the members of a global group to add
workstations to domain.
Please try the following steps:
1. Disconnect the system from domain if it is already connected to. Rename
the system.
2. Delete the computer account in Active Directory for the system that you
are trying to connect.
3. Create a new Global group.
4. Add the users to the Global group.
5. Right in the computer container. Click on properties.
6. Click on security tab. Click on add to add the global group name.
7. Highlight the global group and click on Advanced.
8. Highlight the group in this screen. Click " Edit" and in the "Applies
onto... " drop-down box select "Computer Objects".
9. Allow the following permissions for the group.
"Read all Properties,"
"Write all Properties,"
"Reset Password"
"Change Password"
10. Select the checkbox "Apply these permissions to objects and/or
containers within this container only.
11. Change the "Apply onto:" box to "This object and all Child Objects".
12. Add the "Create Computer Objects" item.
13. Select the "Apply these permissions to objects and/or containers within
this container only.
14. The group should now be listed four times in the Special Permissions
box with the rest of the users. Please confirm.
15. Replicate the changes if required.
Now please try adding the workstation to the domain as a user who is the
member of the global group.
I hope the above information helps. If there is anything unclear, please
feel free to let me know.
Thank you and have a nice day!
Rashmi
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: "Access Denied" when adding workstation to domain
| thread-index: AcSBnYUJWfxG19MoQRqKWeQdcLTJRQ==
| X-WBNR-Posting-Host: 66.74.41.247
| From: "=?Utf-8?B?V2F5bmUgTGFjeQ==?=" <Wayne
Lacy@discussions.microsoft.com>
| Subject: "Access Denied" when adding workstation to domain
| Date: Fri, 13 Aug 2004 18:25:01 -0700
| Lines: 10
| Message-ID: <908C2A59-7795-447B-8EDD-16FAC4C3C264@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.group_policy
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.group_policy:8473
| X-Tomcat-NG: microsoft.public.windows.group_policy
|
| I have a Windows 2003 Active Directory. I am attempting to assign global
| groups to have the permission to "Add Workstations to Domain". However,
when
| I modify the Default Domain Security Policy, Domain Controller Security
| Policy, or Delegate Control at either the Domain or OU level, the group
gets
| "Access Denied". I also attempted to do the same as above for a single
user,
| but this did not change either. As soon as I put the user into "Domain
| Admins", all works well. Where is the policy that will allow this group
to
| create/delete computer objects without leaving them in the domain admin
group?
|
| Any assistance would be appreciate
|
- Next message: Jim Smith: "GPO Security Filtering"
- Previous message: pieco26_at_hotmail.com: "Run Command and Network Neighborhood is missing"
- In reply to: Wayne Lacy: ""Access Denied" when adding workstation to domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
