Re: AD Delegation Issue - Computer Objects

see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Mike R." <MikeR@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6F8AC060-1CC9-43AC-B67C-0B8E05A72D71@xxxxxxxxxxxxxxxx
Hi there,

I'm trying to delegate control over computer objects in an OU structure in
my domain. My issue began with delegating the ability to add computers to
the domain, but has morphed a little. For the purpose of this post, I'll
call the OU "Standard Computers".

I've successfully delegated the ability to create machines and add them to
the domain by following the instructions in Q article 329195. A user of
my
delegated group can create a computer object, go to the physical PC, log
in
as an administrator, and join it to the domain using their credentials.

However, if a computer object is created by any other user, I receive an
error when I attempt to join it to the domain. The exact error is:

Computer Name Changes

The following error occurred attempting to join the domain "mydomain":

Access is denied.

If possible, I would like to refrain from delegating more control than is
necessary over this computer OU structure. The goal is to allow a global
group complete control over computer objects in this OU without allowing
them
to create other types of objects - users, groups, etc.

I appreciate any input you can provide. Thanks!
Mike




.

Relevant Pages

  • Re: Granting permission to re-add a computer account
    ... I wouldn't recommend deleting and recreating the account. ... recommend resetting the account and having the machine rejoin, ... done by simply delegating reset password on the computer objects (more ... specifically on the OU with the ace inherited to computer objects). ...
    (microsoft.public.win2000.active_directory)
  • Re: How grant rights to add servers to domain into a particular OU
    ... It is a Security Group that I am using to Delegate Control to. ... Add the appropriate user account and click Next. ... Click Computer Objects and Create selected objects in this folder. ... I have given the OU Server Admins group "Special Permissions" of Full ...
    (microsoft.public.windows.server.active_directory)
  • Re: delegate control to computer management to everywhere except oneOU
    ... TEST THIS FIRST on an OU with one test computer, if it works as expected, delegate control at domain level and on the OU that you like to exclude remove the account/group form the security tab. ... Click Only the following objects in the folder, and then from the list, click to select the following check boxes: Computer objects ... click to select the following check boxes:. ...
    (microsoft.public.windows.server.active_directory)
  • Delegating Add computer rights
    ... Is the user in any group, such as everyone, where Deny has ... assigned full control on computer objects in an OU, ... between the builtin computers container and their computer ...
    (microsoft.public.win2000.active_directory)
  • Granting permission to re-add a computer account
    ... I am trying to grant access to our help desk to have the ... ability to add computers to our domain. ... Delegated Authority at the domain level to the following: ... Create Computer objects ...
    (microsoft.public.win2000.active_directory)