Re: Permissions to Delegate User For Netdom

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


Jorge Pinto has covered this in details on his blog at
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

hth
Marcin

"Charles" <Charles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8DE06733-ADC6-4F94-9521-17F4D03283C4@xxxxxxxxxxxxxxxx
Hi All:

I need to know what permission to delegate so a user so this user will be
able to add/join computer accounts back into the domain that already
exist.
Netdom works fine with the computer does not exist when this user runs it.
If running using the admin account it runs fine when the computer account
already exists.

I have delegated the following perms to the OU for the user:
create/delete computer accounts
list all
read/write computer properties
Reset password


Thanks in advance!
06/25 16:06:01
-----------------------------------------------------------------
06/25 16:06:01 NetpDoDomainJoin
06/25 16:06:01 NetpMachineValidToJoin: 'NewComputer'
06/25 16:06:01 NetpGetLsaPrimaryDomain: status: 0x0
06/25 16:06:01 NetpMachineValidToJoin: status: 0x0
06/25 16:06:01 NetpJoinDomain
06/25 16:06:01 Machine: NewComputer
06/25 16:06:01 Domain: bikes
06/25 16:06:01 MachineAccountOU: OU=New SARP,OU=Station
Workstations,OU=Revenue,DC=bikes,DC=ad,DC=internal
06/25 16:06:01 Account: bikes\SARPINST
06/25 16:06:01 Options: 0x3
06/25 16:06:01 OS Version: 5.1
06/25 16:06:01 Build number: 2600
06/25 16:06:01 ServicePack: Service Pack 3
06/25 16:06:01 NetpValidateName: checking to see if 'bikes' is valid as
type
3 name
06/25 16:06:01 NetpCheckDomainNameIsValid [ Exists ] for 'bikes' returned
0x0
06/25 16:06:01 NetpValidateName: name 'bikes' is valid for type 3
06/25 16:06:01 NetpDsGetDcName: trying to find DC in domain 'bikes',
flags:
0x1020
06/25 16:06:01 NetpDsGetDcName: found DC '\\bikedc01' in the specified
domain
06/25 16:06:01 NetpJoinDomain: status of connecting to dc '\\bikedc01':
0x0
06/25 16:06:01 NetpGetLsaPrimaryDomain: status: 0x0
06/25 16:06:01 NetpGetDnsHostName: Read NV Hostname: NewComputer
06/25 16:06:01 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS
domain
name: bikes.ad.internal
06/25 16:06:01 NetpLsaOpenSecret: status: 0xc0000034
06/25 16:06:01 NetpGetComputerObjectDn: Cracking account name
bikes\NewComputer$ on \\bikedc01
06/25 16:06:01 NetpGetComputerObjectDn: Crack results: (Account already
exists) DN = CN=NewComputer,OU=New SARP,OU=Station
Workstations,OU=Revenue,DC=bikes,DC=ad,DC=internal
06/25 16:06:01 NetpModifyComputerObjectInDs: Initial attribute values:
06/25 16:06:01 objectClass = Computer
06/25 16:06:01 SamAccountName = NewComputer$
06/25 16:06:01 userAccountControl = 4096
06/25 16:06:01 DnsHostName = NewComputer.bikes.ad.internal
06/25 16:06:01 ServicePrincipalName =
HOST/NewComputer.bikes.ad.internal
HOST/NewComputer
06/25 16:06:01 NetpModifyComputerObjectInDs: Computer Object already
exists
in OU:
06/25 16:06:01 objectClass = top person organizationalPerson user
computer
06/25 16:06:01 SamAccountName = NewComputer$
06/25 16:06:01 userAccountControl = 4096
06/25 16:06:01 DnsHostName = NewComputer.bikes.ad.internal
06/25 16:06:01 ServicePrincipalName = HOST/NewComputer
HOST/NewComputer.bikes.ad.internal
06/25 16:06:01 NetpModifyComputerObjectInDs: There are _NO_ modifications
to
do
06/25 16:06:01 NetpCreateComputerObjectInDs: NetUserSetInfo failed on
'\\bikedc01' for 'NewComputer$': 0x5. Deleting the account.
06/25 16:06:01 ldap_unbind status: 0x0
06/25 16:06:01 NetpJoinDomain: status of creating account in OU: 0x5
06/25 16:06:01 NetpJoinDomain: initiaing a rollback due to earlier errors
06/25 16:06:01 NetpLsaOpenSecret: status: 0x0
06/25 16:06:01 NetpJoinDomain: rollback: status of deleting secret: 0x0
06/25 16:06:01 NetpJoinDomain: status of disconnecting from '\\bikedc01':
0x0
06/25 16:06:01 NetpDoDomainJoin: status: 0x5


.

Relevant Pages

  • Re: delegated rights only allow 10 changes
    ... defined that on an OU to create computer accounts ... Using the delegation of control wizard you can delegate the creation ... Add to the DELEGWIZ.INF file a NEW template you can use ...
    (microsoft.public.win2000.active_directory)
  • Re: Please Help- How to restrict anyone from creating computer accounts in default computer cont
    ... For true delegation it is better to delegate the right to create computer ... without quotes) With this you can only delegate computer account creation at ... If you delegate the creation of computer accounts to a group (e.g. ... Add to the DELEGWIZ.INF file a NEW template you can use to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Create workstation account in OU
    ... >> then joining the workstations to the domain. ... this is possible through the Delegation of Control Wizard. ... > Using the delegation of control wizard you can delegate the creation ... > computer accounts to the domain. ...
    (microsoft.public.win2000.active_directory)
  • Re: Create workstation account in OU
    ... > then joining the workstations to the domain. ... You can pre-create the computer accounts as long as the computer ... this is possible through the Delegation of Control Wizard. ... Using the delegation of control wizard you can delegate the creation ...
    (microsoft.public.win2000.active_directory)
  • Re: Re: what happens when a computer joins a domain?
    ... Using the delegation of control wizard you can delegate the creation ... DELEGWIZ.INF file look at template 6..... ... If you delegate the creation of computer accounts to a group (e.g. ...
    (microsoft.public.win2000.active_directory)