Question

Access Denied when approving Pending Devices in Windows Deployment Services

Asked by: ISGJackson08

I've recently setup Windows Deployment Services on our secondary domain controller Windows Server 2003 box. The server also performs DHCP and DNS server roles.

Everything is working great except for the approval of Pending Devices. I've set the PXE Response Settings in WDS to 'Respond to all (known and unknown) client computers' with the 'For unknown clients, notify administrator and respond after approval' box checked.

Problem is when I try to 'Name and Approve' or 'Approve' a device I get the following error...

Pending Device

Access is denied.

...the Directory Services tab is configured to add accounts to 'The following location:' which is set to our default OU for computer accounts. The server, network admin account (which I'm using to RDP the WDS server) and the domain admins group all have full control to that OU.

I can add new computers to that OU using the Active Directory Users and Computers snap in on the WDS server and also using the DSADD COMPUTER command line tool.

I've googled the hell out of this issue but can only find solutions regarding permissions on the OU (which I've pretty much ruled out given the above) or different languges between severs (both primary DC and the secondary DC/WDS server are set to UK English.

Very confused, would love to get this working though!

Cheers,

Dave

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-07-07 at 04:47:24ID24549179
Tags

Windows Deployment Services

,

Windows Server 2003

,

Active Directory

Topics

Windows 2003 Server

,

Deployment Software for Development

,

Active Directory

Participating Experts
1
Points
500
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Deploying ADSI
    I'ld like to include code in my project that depends on ADSI. I've included a reference to the Active DS Type Library (activeds.tlb). Apparently, this will not install ADSI at the computer where the project will be deployed. Question: Can I deploy the ADSI support files, too...
  2. How to deploy?
    How to deploy an application?
  3. deploy
    I have a standard VB6 programme, i need to deploy to a folder in my website and i want users to install online or optionally download it. how can that be done many thanks ahm

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ryank1Posted on 2009-07-13 at 14:31:33ID: 24844199

I have the exact scenario listed here, Single DC with DNS, DHCP, WDS roles installed. Windows Server 2003 SP2.

The one piece of advice that I found, said to move the RemoteInstall directory from the system volume to another. Ran "wdsutil /uninitialize-server" then Moved the remoteinstall directory to another drive.Then ran "wdsutil /initialize-server /reminst:E:\RemoteInstall"

Error persists. I'm going to remove the role and readd it next. No idea what's causing this otherwise. I will post when I find something.


Did that to no avail.

 

by: ISGJackson08Posted on 2009-07-14 at 03:39:42ID: 24847888

Hi ryank1,

That's very interesting actually, my folders are also on the system volume. During the initial install it did warn me that it's best practice not to install it on the system volume, but it's a single partition system. I also tried installing it on a network drive but that failed, I didn't make a note of the error.

Since I haven't done much configuring yet I'll try and rip out WDS and re-install it, perhaps on an external HDD if there is one laying around.

Cheers for your thoughts.

 

by: ryank1Posted on 2009-07-14 at 06:58:31ID: 24849524

After hours and hours of battling this, I resolved it in my environment this morning. Here's what I did:

Taken from: http://technet.microsoft.com/en-us/library/cc754005(WS.10).aspx

PXE response policy. This policy, which defines how to respond to client network boot requests, is stored on the servers SCP. Configuring these settings requires read and write permissions to the SCP object.

To grant permissions to the SCP object

Open Active Directory Users and Computers.

Click View, and then click Advanced Features (if it is not already enabled).

Right click the computer account for you Windows Deployment Services server, and click Properties. (In my case its the DC)

On the Remote Install tab, select Advanced Settings&

Select the Security tab, and click Add&

Select the user or group, (administrator) and then select Full Control on this object.

 

Let me know if this works for you!!! I'm very curious and hope you can benefit from this.

 

by: ISGJackson08Posted on 2009-07-16 at 06:08:35ID: 24868597

Okay, tried your SCP permissions fix but sadly it hasn't helped in my case. Have got an external HDD on order with our supplier so I'll try recreating the RemoteInstall folder on there when it arrives.

Cheers,

Dave

 

by: ryank1Posted on 2009-07-16 at 06:53:57ID: 24869035

That's a bummer. The other thing besides moving RemoteInstall off of system volume was to check permissions on the mgmt dir where the database lives. (See attached)

I will try to backtracking everything I did to see if theres anything else along the way.



 

by: ISGJackson08Posted on 2009-08-06 at 08:07:20ID: 25034294

Sorry for the long delay, was waiting for the external HDD to arrive from our supplier. I've re-setup WDS with all the related folders (including RemoteInstall) on the drive but it hasn't helped the issue.

ryank1, I've also checked the NTFS permissions on that folder and have given the Domain Admins group as well as the network admin account and system account full access. Anything I'm missing?

 

by: ryank1Posted on 2009-08-06 at 08:34:39ID: 25034632

When you gave them "full access" did you do that from the security tab of the computer object? I made this mistake initially. It actually needs to be changed under the remote install tab, under advanced. Here's where you should check:

  • Second.JPG
    • 53 KB

    Check the permissions of any accounts using WDS

    Check the permissions of any accounts using WDS
  • First.JPG
    • 52 KB

    After showing advanced features in AD

    After showing advanced features in AD
 

by: ISGJackson08Posted on 2009-08-06 at 09:05:03ID: 31600549

Hi ryank1,

Thanks for your hard work on this, I've actually manged to resolve it. You were very close with the SCP object stuff. In fact the solution was on the same site you linked me to! (http://technet.microsoft.com/en-us/library/cc754005(WS.10).aspx)

Here is what I missed, I had assumed giving the server's computer account full access to the Computer OU would be enough. Apparently not...

To grant permissions to approve a pending computer

Open Active Directory Users and Computers.


Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control.


On the first screen of the wizard, click Next.


Change the object type to include computers.


Add the computer object of the Windows Deployment Services server, and then click Next.


Select Create a Custom task to delegate.


Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next.


In the Permissions box, select the Write all Properties check box, and click Finish.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...