?
Solved

cant join domain

Posted on 2005-04-01
6
Medium Priority
?
276 Views
Last Modified: 2010-04-13
imagine i have created account A with admin rights and used it for a period of time.but now i remove the admin rights from tha account. but i still want this account be able to add pcs to the domain.i already add this user in the active directorys user and computers with the rights to add pcs to the domain. when i add a new pc to domain it sure does, but if i want to re add a pc in the domain, it gives me an error with access denied. i think is because the account dont have the rights to overwrite certain files or something in the AD, so i need to know what kind of rights and where to set it. i already gave the right to create and delete objects in AD.
0
Comment
Question by:matutolas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 13679650
matutolas
As well as join domain, you also need to grant a few other rights to allow the computer account to be reset.

On computer objects only:
Create/Delete
Reset Password

You might also need these ones as well:
Read All/Write All
Validated write to DNS Host Name
Validated write to Service Principle Name

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:matutolas
ID: 13694481
JamesDS

where can i find the reset password option? and if i give this writes to the user can he reset the admin password?? where can i find the options to validate the write to dns host name and the service principle name?? im using dhcp to give ips so i supose when i add the abject in the domain the dns will automatically change.

thanks matutolas
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 13695348
matutolas
The rights to make changes to objects on the domain are modified using the Active Directory Users and Computers Tool.

Open the tool, switch on advanced mode (View/advanced features)
Select the OU containing the objects you wish to apply the new security too.
Rightclick and select properties/security/advanced.
Hit add and select the group or users you wish to give the rights too.

In the apply onto window, select computers and scroll down the list to find the rights I mentioned earlier.

Pay attention to the other options within this dialog and be very careful as AD permissioning is easy to screw up!

voila!

Cheers

JamesDS
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 1

Author Comment

by:matutolas
ID: 13695794
JamesDS

im sorry my ingorance, but i dont see the resent password option there, i just add two permissions for the user, add and delete computer objects, and nothing else. like i said the user is able to add pcs to domain if there is no record before from the same pc. and im concerning about the read all and write all permission. will that permission have any impact if the user want to arm the network??

thanks a lot

matutolas
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 13696185
matutolas
You need to set the Apply Onto window to computer objects. The reset password right is near the bottom (4th one up on my domain).

These rights are set on an OU or at the domain root.

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:matutolas
ID: 13734806
JamesDS

i know i already accept your answer, but today i found another problem related with my question, i already gave all the permissions that you said. imagine in my AD i have a object with name XXX and i try to join into the domain with another pc with name XXX but with diferent SID, what permissons do i have to give for that?

thanks

matutolas
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Ready to get certified? Check out some courses that help you prepare for third-party exams.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month9 days, 11 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question