Solved

Access Denied when joining computer to Domain?? (W2K3 AD)

Posted on 2006-11-28
7
878 Views
Last Modified: 2012-06-27
I need the ability to have Help Desk create computer accounts in AD and then some other group of staff actually join the computers to the domain using the names that the Help Desk provided to them.

Problem is this:

If Tech-A attempts to join a computer to the domain using a computer name of a computer account that Tech-B created in AD, Tec-A is getting Access denied.  I'm guessing because only Domain Admins and the Creator/Owner of the Computer Account can add it to the Domain.  

I want Help Desk to be the only ones creating computer accounts in the Domain and then I want to be able to allow others to join those computers to the domain WITHOUT having to be members of the Domain Admins group.

I've tried everything I know and any help would be greatly appreciated.

LD
0
Comment
Question by:LDMak90
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18033065
by default users can add machines to the domain....have you changed this?
0
 

Author Comment

by:LDMak90
ID: 18033607
by default Authenticated Users can add machines to the domain a total of 10 times.  After that they get an error saying they have exceeded the limit...

What I need is to have staff able to join computers whose accounts have already been created in AD by someone else.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18035470
I would suggest that you create new OU for example "Test". Then use REDIRCMP command to redirect new computer accounts from "Computers" container to this OU. (Syntax: redircmp "OU=Test,DC=Domain,DC=com"). This command should be issued only once on one of your domain controllers. Then you can delegate full control for computer account objects to appropriate group for Test OU with Delegation of control wizard.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:LDMak90
ID: 18036376
Well... I know what you're talking about... but... that doesn't really solve the issue.  

Politics in the company require that only Help Desk staff create the computer accounts prior to someone else joining the computer to the domain.  Help Desk will be creating the Computer accounts in specific OUs and using specific naming conventions.  Then Desktop Support staff will later use those computer names to join the computers to the domain.

Redirecting the default Computers container to an OU and granting permissions to a group would allow members of those groups to add computers to the domain through the OS of the computer without having to create the accounts first and then they could move the accounts to the appropriate OU.  However, this will not suit the support model that management has in mind.

Why why why does Microsoft make something like this soooo troublesome??  

0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18038431
Delegate creation (and other tasks) of computer account objects to "Desktop Support" to entire domain and if necessary remove delegation from DC OU.
0
 
LVL 3

Accepted Solution

by:
techtommy earned 500 total points
ID: 18038518
Is it possible to have the helpdesk pre-create the computer objects?  What we have done at my company is similar, the helpdesk can create computer objects by delegation and then during the creation you can select the group that has rights to this object.  Then we simply insert a group that contains all the helpdesk staff.  This allows them to add/change/delete the object at any time by any one.
0
 

Author Comment

by:LDMak90
ID: 18041589
This is exactly what I put in place as process for the company today and it works like a charm (thanks to all for your suggestions).

First, we removed that silly policy that allows Authenticated Users to add computers up to 10 times.  In our company this is looked at as a security flaw.  

Then, as techtommy suggested, we made a group ( _JoinComputers) and dropped all other support staff in as members.  Now, when Help Desk creates computer accounts they click the CHANGE button and add the group _JoinComputers as being the group able to Join the computer to the domain (by default it is set to Domain Admins).

Doing so sets the ACLs on the computer object so that no matter who actually created the computer account it can be joined to the domain by any member of the _JoinComputers group and of course Domain Admins maintain the ability to do so.

Thanks very much again... GREAT community you all have here...

LD
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question