Re: Trying to use NetJoinDomain API...

Nope I used the delegation wizard to set ACLs, and I also went in and added
additional permissions.
These are the permissions granted to the group, set at the domain level.
Create/Delete Printer Objects, Apply To: Computer Objects
Create/Delete Shared Folders, Apply To, Computer Objects
Create/Delete Computer Objects, Apply To: This object and all child objects
List Contents & Read Permissions, Apply To: This object and all child
objects

And the following right granted on Computer Objects:
List Contents
Read All Properties
Write All Properties
Read Permissions
All Validated Writes

Putting computers in without specifying an OU works fine, but if I pass an
OU to NetJoinDomain, it only works if the group is added to "Pre-Windows
2000 Compatible Access." I'm not sure what I'm missing.

Thanks,
NMDANGE

"Oli Restorick [MVP]" <oli@xxxxxxxx> wrote in message
news:%236hH5AYeFHA.616@xxxxxxxxxxxxxxxxxxxxxxx
> When you say you delegated "the ability to add computers to the domain",
> you're not referring to the NT right "Add Computers to the Domain", are
> you? If so, you're barking up the wrong tree.
>
> You need to use the delegation wizard to delegate to a group the ability
> to add (and possibly remove, depending on your needs) computer objects
> from the particular OU in question.
>
> Hope that helps
>
> Oli
>
>
>
> "Michael D'Angelo" <nospam@xxxxxxxxxxxxxxx> wrote in message
> news:OCPWzFPeFHA.220@xxxxxxxxxxxxxxxxxxxxxxx
>> Greetings,
>>
>> I've written a VB program which calls NetJoinDomain, with the purpose of
>> putting computers in a particular OU. If I use a domain admin, it works
>> fine. I created a group to which I delegated the ability to add
>> computers to the domain. Now if I try a user from that group, it only
>> works if I add the group to the "Pre-Windows 2000 Compatible Access"
>> group - or if I do not specify an OU when I call the API. I tried to
>> give the group the same permissions as PreWin2000 Compatible Access, but
>> no matter what I do, I get "Access is Denied." There are no failures in
>> the security audit on the DC to indicate what is being denied. Does
>> anyone know what permission specifically is needed?
>>
>> Thanks in advance
>> NMDANGE
>>
>
>


.

Relevant Pages

  • Re: Delegated permission to add computers
    ... Delegated permissions on the Computers container to a specific global ... I went to the security tab of the Computers container and verified the ... I then added the following permission for computer objects in the ... >> objects as a custom delegation task. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Allow users to change Description attribute for computer accou
    ... there's an option when you right click to delegate control. ... Computer objects only. ... How do you remove delegation if you decide it isn't working correctly or you ... > The delegation wizard simply changes AD permissions on the object. ...
    (microsoft.public.security)
  • Re: User Access Denied With DHCP Admin. Group?
    ... There are two main ways of delegating control in Active Directory - using ... permissions on the object or parent object. ... through the Delegation of Control Wizard or the Sites and Services advanced ...
    (microsoft.public.windows.server.active_directory)
  • Re: Custom rights
    ... Try giving user who is adding account View Only Exchange Administrator ... >> To add computers to the domain go to AD Users and Computers. ... you will have to manually configure permissions on that user object ... >>> Look into AD delegation, though you may need to do some custom ...
    (microsoft.public.win2000.security)
  • Re: What happens to the machine name in AD?
    ... The user needs Write permissions on the computer object to modify all ... usually grant these rights on the OU that contains the computer objects. ...
    (microsoft.public.windows.server.active_directory)