Solved

Access Denied when approving Pending Devices in Windows Deployment Services

Posted on 2009-07-07
8
7,383 Views
Last Modified: 2013-12-12
I've recently setup Windows Deployment Services on our secondary domain controller Windows Server 2003 box. The server also performs DHCP and DNS server roles.

Everything is working great except for the approval of Pending Devices. I've set the PXE Response Settings in WDS to 'Respond to all (known and unknown) client computers' with the 'For unknown clients, notify administrator and respond after approval' box checked.

Problem is when I try to 'Name and Approve' or 'Approve' a device I get the following error...

Pending Device

Access is denied.

...the Directory Services tab is configured to add accounts to 'The following location:' which is set to our default OU for computer accounts. The server, network admin account (which I'm using to RDP the WDS server) and the domain admins group all have full control to that OU.

I can add new computers to that OU using the Active Directory Users and Computers snap in on the WDS server and also using the DSADD COMPUTER command line tool.

I've googled the hell out of this issue but can only find solutions regarding permissions on the OU (which I've pretty much ruled out given the above) or different languges between severs (both primary DC and the secondary DC/WDS server are set to UK English.

Very confused, would love to get this working though!

Cheers,

Dave
0
Comment
Question by:ISGJackson08
  • 4
  • 4
8 Comments
 
LVL 1

Expert Comment

by:ryank1
ID: 24844199
I have the exact scenario listed here, Single DC with DNS, DHCP, WDS roles installed. Windows Server 2003 SP2.

The one piece of advice that I found, said to move the RemoteInstall directory from the system volume to another. Ran "wdsutil /uninitialize-server" then Moved the remoteinstall directory to another drive.Then ran "wdsutil /initialize-server /reminst:E:\RemoteInstall"

Error persists. I'm going to remove the role and readd it next. No idea what's causing this otherwise. I will post when I find something.


Did that to no avail.
0
 

Author Comment

by:ISGJackson08
ID: 24847888
Hi ryank1,

That's very interesting actually, my folders are also on the system volume. During the initial install it did warn me that it's best practice not to install it on the system volume, but it's a single partition system. I also tried installing it on a network drive but that failed, I didn't make a note of the error.

Since I haven't done much configuring yet I'll try and rip out WDS and re-install it, perhaps on an external HDD if there is one laying around.

Cheers for your thoughts.
0
 
LVL 1

Accepted Solution

by:
ryank1 earned 500 total points
ID: 24849524
After hours and hours of battling this, I resolved it in my environment this morning. Here's what I did:

Taken from: http://technet.microsoft.com/en-us/library/cc754005(WS.10).aspx
PXE response policy. This policy, which defines how to respond to client network boot requests, is stored on the servers SCP. Configuring these settings requires read and write permissions to the SCP object.

To grant permissions to the SCP object

Open Active Directory Users and Computers.

Click View, and then click Advanced Features (if it is not already enabled).

Right click the computer account for you Windows Deployment Services server, and click Properties. (In my case its the DC)

On the Remote Install tab, select Advanced Settings&

Select the Security tab, and click Add&

Select the user or group, (administrator) and then select Full Control on this object.

 
Let me know if this works for you!!! I'm very curious and hope you can benefit from this.
0
 

Author Comment

by:ISGJackson08
ID: 24868597
Okay, tried your SCP permissions fix but sadly it hasn't helped in my case. Have got an external HDD on order with our supplier so I'll try recreating the RemoteInstall folder on there when it arrives.

Cheers,

Dave
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Expert Comment

by:ryank1
ID: 24869035
That's a bummer. The other thing besides moving RemoteInstall off of system volume was to check permissions on the mgmt dir where the database lives. (See attached)
I will try to backtracking everything I did to see if theres anything else along the way.


 

Capture.JPG
0
 

Author Comment

by:ISGJackson08
ID: 25034294
Sorry for the long delay, was waiting for the external HDD to arrive from our supplier. I've re-setup WDS with all the related folders (including RemoteInstall) on the drive but it hasn't helped the issue.

ryank1, I've also checked the NTFS permissions on that folder and have given the Domain Admins group as well as the network admin account and system account full access. Anything I'm missing?
0
 
LVL 1

Expert Comment

by:ryank1
ID: 25034632
When you gave them "full access" did you do that from the security tab of the computer object? I made this mistake initially. It actually needs to be changed under the remote install tab, under advanced. Here's where you should check:
First.JPG
Second.JPG
0
 

Author Closing Comment

by:ISGJackson08
ID: 31600549
Hi ryank1,

Thanks for your hard work on this, I've actually manged to resolve it. You were very close with the SCP object stuff. In fact the solution was on the same site you linked me to! (http://technet.microsoft.com/en-us/library/cc754005(WS.10).aspx)

Here is what I missed, I had assumed giving the server's computer account full access to the Computer OU would be enough. Apparently not...

To grant permissions to approve a pending computer

Open Active Directory Users and Computers.


Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control.


On the first screen of the wizard, click Next.


Change the object type to include computers.


Add the computer object of the Windows Deployment Services server, and then click Next.


Select Create a Custom task to delegate.


Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next.


In the Permissions box, select the Write all Properties check box, and click Finish.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
This video shows how use content aware, what it’s used for, and when to use it over other tools.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now