Access Denied when joining computer to Domain?? (W2K3 AD)

I need the ability to have Help Desk create computer accounts in AD and then some other group of staff actually join the computers to the domain using the names that the Help Desk provided to them.

Problem is this:

If Tech-A attempts to join a computer to the domain using a computer name of a computer account that Tech-B created in AD, Tec-A is getting Access denied.  I'm guessing because only Domain Admins and the Creator/Owner of the Computer Account can add it to the Domain.  

I want Help Desk to be the only ones creating computer accounts in the Domain and then I want to be able to allow others to join those computers to the domain WITHOUT having to be members of the Domain Admins group.

I've tried everything I know and any help would be greatly appreciated.

LD
LDMak90Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
techtommyConnect With a Mentor Commented:
Is it possible to have the helpdesk pre-create the computer objects?  What we have done at my company is similar, the helpdesk can create computer objects by delegation and then during the creation you can select the group that has rights to this object.  Then we simply insert a group that contains all the helpdesk staff.  This allows them to add/change/delete the object at any time by any one.
0
 
Jay_Jay70Commented:
by default users can add machines to the domain....have you changed this?
0
 
LDMak90Author Commented:
by default Authenticated Users can add machines to the domain a total of 10 times.  After that they get an error saying they have exceeded the limit...

What I need is to have staff able to join computers whose accounts have already been created in AD by someone else.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Toni UranjekConsultant/TrainerCommented:
I would suggest that you create new OU for example "Test". Then use REDIRCMP command to redirect new computer accounts from "Computers" container to this OU. (Syntax: redircmp "OU=Test,DC=Domain,DC=com"). This command should be issued only once on one of your domain controllers. Then you can delegate full control for computer account objects to appropriate group for Test OU with Delegation of control wizard.
0
 
LDMak90Author Commented:
Well... I know what you're talking about... but... that doesn't really solve the issue.  

Politics in the company require that only Help Desk staff create the computer accounts prior to someone else joining the computer to the domain.  Help Desk will be creating the Computer accounts in specific OUs and using specific naming conventions.  Then Desktop Support staff will later use those computer names to join the computers to the domain.

Redirecting the default Computers container to an OU and granting permissions to a group would allow members of those groups to add computers to the domain through the OS of the computer without having to create the accounts first and then they could move the accounts to the appropriate OU.  However, this will not suit the support model that management has in mind.

Why why why does Microsoft make something like this soooo troublesome??  

0
 
Toni UranjekConsultant/TrainerCommented:
Delegate creation (and other tasks) of computer account objects to "Desktop Support" to entire domain and if necessary remove delegation from DC OU.
0
 
LDMak90Author Commented:
This is exactly what I put in place as process for the company today and it works like a charm (thanks to all for your suggestions).

First, we removed that silly policy that allows Authenticated Users to add computers up to 10 times.  In our company this is looked at as a security flaw.  

Then, as techtommy suggested, we made a group ( _JoinComputers) and dropped all other support staff in as members.  Now, when Help Desk creates computer accounts they click the CHANGE button and add the group _JoinComputers as being the group able to Join the computer to the domain (by default it is set to Domain Admins).

Doing so sets the ACLs on the computer object so that no matter who actually created the computer account it can be joined to the domain by any member of the _JoinComputers group and of course Domain Admins maintain the ability to do so.

Thanks very much again... GREAT community you all have here...

LD
0
All Courses

From novice to tech pro — start learning today.