Solved

Access Denied when joining computer to Domain?? (W2K3 AD)

Posted on 2006-11-28
7
879 Views
Last Modified: 2012-06-27
I need the ability to have Help Desk create computer accounts in AD and then some other group of staff actually join the computers to the domain using the names that the Help Desk provided to them.

Problem is this:

If Tech-A attempts to join a computer to the domain using a computer name of a computer account that Tech-B created in AD, Tec-A is getting Access denied.  I'm guessing because only Domain Admins and the Creator/Owner of the Computer Account can add it to the Domain.  

I want Help Desk to be the only ones creating computer accounts in the Domain and then I want to be able to allow others to join those computers to the domain WITHOUT having to be members of the Domain Admins group.

I've tried everything I know and any help would be greatly appreciated.

LD
0
Comment
Question by:LDMak90
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18033065
by default users can add machines to the domain....have you changed this?
0
 

Author Comment

by:LDMak90
ID: 18033607
by default Authenticated Users can add machines to the domain a total of 10 times.  After that they get an error saying they have exceeded the limit...

What I need is to have staff able to join computers whose accounts have already been created in AD by someone else.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18035470
I would suggest that you create new OU for example "Test". Then use REDIRCMP command to redirect new computer accounts from "Computers" container to this OU. (Syntax: redircmp "OU=Test,DC=Domain,DC=com"). This command should be issued only once on one of your domain controllers. Then you can delegate full control for computer account objects to appropriate group for Test OU with Delegation of control wizard.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Comment

by:LDMak90
ID: 18036376
Well... I know what you're talking about... but... that doesn't really solve the issue.  

Politics in the company require that only Help Desk staff create the computer accounts prior to someone else joining the computer to the domain.  Help Desk will be creating the Computer accounts in specific OUs and using specific naming conventions.  Then Desktop Support staff will later use those computer names to join the computers to the domain.

Redirecting the default Computers container to an OU and granting permissions to a group would allow members of those groups to add computers to the domain through the OS of the computer without having to create the accounts first and then they could move the accounts to the appropriate OU.  However, this will not suit the support model that management has in mind.

Why why why does Microsoft make something like this soooo troublesome??  

0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18038431
Delegate creation (and other tasks) of computer account objects to "Desktop Support" to entire domain and if necessary remove delegation from DC OU.
0
 
LVL 3

Accepted Solution

by:
techtommy earned 500 total points
ID: 18038518
Is it possible to have the helpdesk pre-create the computer objects?  What we have done at my company is similar, the helpdesk can create computer objects by delegation and then during the creation you can select the group that has rights to this object.  Then we simply insert a group that contains all the helpdesk staff.  This allows them to add/change/delete the object at any time by any one.
0
 

Author Comment

by:LDMak90
ID: 18041589
This is exactly what I put in place as process for the company today and it works like a charm (thanks to all for your suggestions).

First, we removed that silly policy that allows Authenticated Users to add computers up to 10 times.  In our company this is looked at as a security flaw.  

Then, as techtommy suggested, we made a group ( _JoinComputers) and dropped all other support staff in as members.  Now, when Help Desk creates computer accounts they click the CHANGE button and add the group _JoinComputers as being the group able to Join the computer to the domain (by default it is set to Domain Admins).

Doing so sets the ACLs on the computer object so that no matter who actually created the computer account it can be joined to the domain by any member of the _JoinComputers group and of course Domain Admins maintain the ability to do so.

Thanks very much again... GREAT community you all have here...

LD
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question