Solved

Group Policy

Posted on 2007-11-22
40
459 Views
Last Modified: 2012-08-13
Dear Sir,

In my company I want to give the support people privilege to take computers into domain(2003 server). For that I have seen some previous answers also in this experts-exchange. I created a test user (join) and created a domain level policy “ Allow this user to join computers into domain” and specified this user “join”, but when I tried to take the computer into domain it is giving error “Access Denied” to me, then I tried to give it through Delegate control to the same users "join" but still it is giving the same “Access Denied” can any one help me because i tryed everything to solve this but was not able to solve it,

Other policy is I created a restricted group policy, so that when ever a support user login to the computer he should become administrator automatically, but the problem is after implementing this policy people who were there in the local system administrator group were removed from it and only the persons who are specified in the restricted group were added, is it possible that all the persons who were there in the local admin group should not be removed but the users whom I gave the privilege should be added .

Quick reply will be appreciated.


Bye.
0
Comment
Question by:itdeptalansari
  • 18
  • 14
  • 7
  • +1
40 Comments
 
LVL 1

Expert Comment

by:mr_mpz
ID: 20336443
use Organization Unit (OU) and test it
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20337437
if there are handful of pcs you are attempting to join into your domain, pre-stage these pcs into a particular container and from the properties of each object (computer), change the domain admin to your specific user or security group who can join it to your domain?

0
 

Author Comment

by:itdeptalansari
ID: 20337556
I have tested it on TEST -- OU by giving it a delegate control  and even through Group policy , but  still it is giving the same error ACESS DENIED.

And all the users and computers are under one  OU to which Restricted policy is applied. so I want to know is  it possible that if a computer is joined into domain it will automatically gets shifted to defaut container called computers, but i want to change it to other location (dont want to do it manually), so that once the PC is joined into  domain it should be under the OU where  all the users and computers are stored so that restrected policy get apply easily.

There are no comments regarding my 2nd question for restricted  policy.


Thank Yuo , Byee.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20342492
  Hi itdeptalansari
        You do not need to add this join user to an OU, you dont need to set GPOs for it. What you have to do is, simply add this user in "Account operators" group in member of tab of user properties.

Regards
0
 

Author Comment

by:itdeptalansari
ID: 20342976
I wanted to give my support people access to join the computers into domain, so i tryed everything it is not working(which i mentioned earlier) , do any one have any reasons or solutions.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20342992
   And I subitted the solution. Join your support people users in to "Account Operators" group in Active directory
0
 

Author Comment

by:itdeptalansari
ID: 20345018
Hi Mrhusy,

Do you mean to say if i add that user to "Account operators" group it will allow that user to whom i gave privilage to join the computers into domain,

Do you have any idea regarding restricted group policy which i asked earler.

Thank you for your reply.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20345486
"Do you mean to say if i add that user to "Account operators" group it will allow that user to whom i gave privilage to join the computers into domain, "   Exactly!

"Do you have any idea regarding restricted group policy which i asked earler."
Sure I do, but according to EE rules, you can not ask two different questions in one question :(. Please open a new question for this

Regards


0
 

Author Comment

by:itdeptalansari
ID: 20348227
OK , thank you for your help, I will test it and getback to you,

Bye.
0
 

Author Comment

by:itdeptalansari
ID: 20364034
Thanks for your help i tyred with one user it is working fine let me check for 1 more day then i will accept your solution.sorry for the delay.

Bye.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20364164
You are welcome :) No problem for delay. If you open another question about restricted group policy, please give here a link
0
 

Author Comment

by:itdeptalansari
ID: 20372396
I wanted to know is there any option to restrict the users from creating or deleting user accounts, because after giving them the account operator rights they are now able to create and delete the accounts also, so i want to restrict them to just rest the password and add descriptions to the account. And one more problem is they are able to allow them to get added to remote desktop group so will this allow them to login to the server remotely.


Thanks in advance.
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20372588
Try this, create a security group and put it inside a particular OU - put these users also that will be managing this role in this OU. Right click the this OU and select DELEGATION>ADD THE SECURITY GROUP>select reset password accounts and tick other task that they need to perform.

The account operator is probably overkill.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20372665
  I dont agree with mcse2007. This will break the capability of account operators group, which may cause problems. The correct way is
    *Create a group called "Join Operators"
    *In default domain controllers policy, navigate Computer Configuration>Windws Settings>Security Settings>Local Policies>User rights assignment. In righ-pane, double-click "Add workstation to domain". You see account operators there. Click add and add your new "Join Operators" group
   *Remove your users from account operators group and join them into Join Operators group

Regards
 
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20391228
any update?
0
 

Author Comment

by:itdeptalansari
ID: 20395050
sorry for the delay here there was 4 days holidays, tomorrow i will be going to office then i will test and let you at the same time.
0
 

Author Comment

by:itdeptalansari
ID: 20401176
Once again sorry for the delay, i checked it just now by removing that user from account operator group, then again that old problem started Access Denied , even after adding this user to domain controller group policy -- allow this user to join computers into domain also still same old error is coming, i tried to give delegate control also but still same problem.

Now for timing being i gave account operator rights to this user till the problem is solved now it is working fine.

Bye.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20401611
Please watch the steps I submit carefully, Did you create Join Operators and add the user here? Also run gpupdate /force to policy take effect
0
 

Author Comment

by:itdeptalansari
ID: 20401939
Yes i have created a a group - join computers and added join3 user to it and did gpupdate/force but still that same error is coming -ACCESS DENIED.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20402065
Double-check the following step
"*In default domain controllers policy, navigate Computer Configuration>Windws Settings>Security Settings>Local Policies>User rights assignment. In righ-pane, double-click "Add workstation to domain". You see account operators there. Click add and add your new "Join Operators" group"
    Make sure you applied this to default domain controllers policy and in "Add workstation to domain" option, "Account Operators" and "Join Operators" are listed.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:itdeptalansari
ID: 20408955
yes, as per your solution i followed the same steps but still it is giving the ACCESS DENIED, to update you again i have implemented restricted group policy for the domain level, so that all the local administrators will be removed from the local machine and only whom i gave the permission will be Administrator of the local machine , so will the above policy(Restricted GPO) effect the "Add workstation to domain" policy.

One more thing to update there are 2 Domain controller policy :

1)Default Domain security settings

I have added the users here .

2)Default Domain controller security settings

Here it is given Authenticated users .

Thank You.
0
 

Author Comment

by:itdeptalansari
ID: 20417593
ANY UPDATES !!
0
 

Author Comment

by:itdeptalansari
ID: 20417594
ANY UPDATES !!
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20418504
1)Default Domain security settings

I have added the users here .

2)Default Domain controller security settings

Here it is given Authenticated users

    I dont understand the above sorry. What is Auhenticated Users, I did not mention this, also I did not mention any change in default domain policy. My domain is configured as above that I mentioned and join accounts works successfully.
    bove steps are the simplest explaination that I can do.

I submitted the anser for your original question at post  ID: 20342492
And a better way in post ID: 20372665

Regards
0
 

Author Comment

by:itdeptalansari
ID: 20439816
To be more clear , let me write in steps :

There is 1 OU -- Desktop -- where all the users & and computers and Sub OU's(as per the Dept. are created)t.

For this OU I created a GPO to give privilage for support to become local admin when ever they login in to local machine in the domain (with restricted GPO)

As per you I created a group IT-operations and to that group i added all the IT users

- This group IT-operations i added to "Default Domain Policy"

Computer Configuration>Windws Settings>Security Settings>Local Policies>User rights assignment. In righ-pane, double-click "Add workstation to domain".Click add and added ITC-Operations here.

"BUT THERE IS NOTHING IS THERE .i.e. the list is empty (NO GROUP LIKE ACCOUNT OPERATOR) ADDED TO THIS "ADD WORK STATION TO DOMAIN" LIST AS YOU MENTIONED"

-----------------------------------------------------------------------------------------------------------------------------

I want to check is this Restricted GPO effecting the "Join Computers into domain" policy.

Because after this also I tried it is still giving ACCESS DENIED.


Thankx.
0
 

Author Comment

by:itdeptalansari
ID: 20439930
sorry there is some mistakes in my above question:

OLD/Mistake  :

BUT THERE IS NOTHING IS THERE .i.e. the list is empty (NO GROUP LIKE ACCOUNT OPERATOR) ADDED TO THIS "ADD WORK STATION TO DOMAIN" LIST AS YOU MENTIONED"

Correct Format :
"The list is empty in "Add work station to domain" but as per you there should be account operator present there."


So after implementing the policy "Join work station to domain" i tried it is still giving me Access Denied, because i tried everything still same error is coming only if the user is added to account operator then it is working fine .

Thankx.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20440131
THERE IS NOTHING THERE BECAUSE YOU DONT LOOK AT DEFAULT DOMAIN "CONTROLLER!!!!!!" POLICY
PLEASE EDIT DEFAULT DOMAIN CONTROLLER POLICY!!!
   *In Active Directory Users and Computers window, right-click Domain Controllers OU>Properties. Click Group Policy tab, Click Default Domain Controller policy and click Edit. (If GPMC is installed, you will only see open there, click Open, then Default DOmain COntroller Policy will appear)

Regards
0
 

Author Comment

by:itdeptalansari
ID: 20440200
I followed the above steps and there i found "authenticated users" in that GPO, then i added my group(IT-Opertions) to that , after that i tested it is still the same(Access Denied).

0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20440500
You need to edit the "Default Domain Policy" then add your security group (members of your IT that can join workstation to domain) from computer configuration>windows settings>security settings>local policy>user rights assignment> here double click on 'add workstations to domain"

 
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20440646
Only 10 computers maximum that a user can join workstation to domain when you give him this permission through GPO.

Better is using a delegation control and give your security group a permission to create computer object for unlimited of workstations to join to domain.

Here's how:
right click an OU where your IT members who will be deleted this task and select DELEGATION CONTROL>Add members or group>create a customer task to delete>only the following objects in the folder>computer objects then give them full control permission.

To change the default container or specify a particular container when computers will end up when  joined to domain, below is useful link for this task:

http://www.windowsitlibrary.com/Content/2026/08/2.html

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20440834
"Only 10 computers maximum that a user can join workstation to domain when you give him this permission through GPO"
   Where does this wrong information come from?
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20444259
MrHusy, it appears the difference you and me is knowledge and precision about Windows products - that says it all about my username !!!

Where does this wrong information, I should say right information came from, it was published by Microsoft click below dude, you will what I mean and next if you have question take it with Microsoft.:

http://thesource.ofallevil.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seconceptsunprivs.mspx?mfr=true
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20444535
  Dear mcse2007
     I wish you a happy career with your nick.

   Dear itdeptalansari
     "Only 10 computers maximum that a user can join workstation to domain when you give him this permission through GPO"
      Statement is totally wrong, doesnt matter which link supports above statement. A member of group listed in "Add workstation to domain" can join as many as possible. But the important point here is, and what Microsoft says, and want people to understnd is, Members of "Add workstation to domain" can create only 10 different computer accounts!. But remember, This user is still able to join client to domain as long as the computer account exists. In view of the fact that computer accounts exist although the client disjoined from domain untill the Garbage Collection Process of Active directory, above users can join computers to domain using existing computer accounts. But If you say that I dont want to struggle wiith using existing accounts and I want the "Add workstation to domain" members be able to create computer accounts as many as possible, follow the easy steps below.
    *In Active Directory Users and computers window, right-click Computers container>Properties>Security.
   *Add the group you created (IT Operations I think) and added into "Add workstation to domain"  policy here then click advanced.
   *Double-click your gorup listed (IT Operations), then check the box under permit next to "Create Computer Objects" and if you like, "Delete Computer Objects"
   
Thats All. Keep in mind that you should run gpupdate /force as you make changes in Policies like "Add workstation to domain" in previous steps in both serverside and clientside

Regards
0
 

Author Comment

by:itdeptalansari
ID: 20454951
Mr.Husy,

It tried as per your comments but still same error now i am preparing a test server and i will try on that i think there is some policy which is trying to block and not allow to use this GPO to join computers into domain,


Is it possible to reset the setting from security tab -- IT Operatons (My Group of IT Support) and change some settings and make them only allow to rest password and join computers into domain, after adding them to Account operators group?

Thankx.

0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20455126
If you applied your policy to a particular OU, turn on "block inheritance' policy so it won't get over ridden.
0
 

Author Comment

by:itdeptalansari
ID: 20455445
It worked when i tried to goto to  OU-- Properties-- securities-- advance -- in that i added a test user and gave him permission to "Rest Password & Create/delete computer objects" now it is working, before the same thing i did with delegate control it was not working,

It is working fine now but i should know the cause of the problem before closing this post, I will open a new post for restricted policy.

Thanks for all your help,

Bye.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 20455662
 " It worked when i tried to goto to  OU"  you mean the "Computers" container by "that OU" ?
   If what I mentioned above didnt work, that means your computer objects are not created in "Computers" container or somehow redirected/moved to that OU.
   In your test environment, you will see that my directions ill work flawless, I applied this scenario 2 years ago in an education company in which computers are frequently imaged and joined to domain by limited as above users that I created. Was such a simple task.

Regards
0
 

Author Comment

by:itdeptalansari
ID: 20457257
Mr. Husy,

OK, Mr. Husy & Mr. MCSE2007 thanks for your help, Please find below the link fro restricted GPO,


http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_23018301.html


Bye.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20457289
Any reason for B grade? Did something miss?
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20460493
MrHusy, don't be to greedy :-)  

I didn't have any points for my efforts (i.e initiated the idea of creating computer object then the flood gate opens) as well that's how the game play :-(  
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now