Access Denied when approving Pending Devices in Windows Deployment Services

Posted on 2009-07-07
Last Modified: 2013-12-12
I've recently setup Windows Deployment Services on our secondary domain controller Windows Server 2003 box. The server also performs DHCP and DNS server roles.

Everything is working great except for the approval of Pending Devices. I've set the PXE Response Settings in WDS to 'Respond to all (known and unknown) client computers' with the 'For unknown clients, notify administrator and respond after approval' box checked.

Problem is when I try to 'Name and Approve' or 'Approve' a device I get the following error...

Pending Device

Access is denied.

...the Directory Services tab is configured to add accounts to 'The following location:' which is set to our default OU for computer accounts. The server, network admin account (which I'm using to RDP the WDS server) and the domain admins group all have full control to that OU.

I can add new computers to that OU using the Active Directory Users and Computers snap in on the WDS server and also using the DSADD COMPUTER command line tool.

I've googled the hell out of this issue but can only find solutions regarding permissions on the OU (which I've pretty much ruled out given the above) or different languges between severs (both primary DC and the secondary DC/WDS server are set to UK English.

Very confused, would love to get this working though!


Question by:ISGJackson08
  • 4
  • 4

Expert Comment

ID: 24844199
I have the exact scenario listed here, Single DC with DNS, DHCP, WDS roles installed. Windows Server 2003 SP2.

The one piece of advice that I found, said to move the RemoteInstall directory from the system volume to another. Ran "wdsutil /uninitialize-server" then Moved the remoteinstall directory to another drive.Then ran "wdsutil /initialize-server /reminst:E:\RemoteInstall"

Error persists. I'm going to remove the role and readd it next. No idea what's causing this otherwise. I will post when I find something.

Did that to no avail.

Author Comment

ID: 24847888
Hi ryank1,

That's very interesting actually, my folders are also on the system volume. During the initial install it did warn me that it's best practice not to install it on the system volume, but it's a single partition system. I also tried installing it on a network drive but that failed, I didn't make a note of the error.

Since I haven't done much configuring yet I'll try and rip out WDS and re-install it, perhaps on an external HDD if there is one laying around.

Cheers for your thoughts.

Accepted Solution

ryank1 earned 500 total points
ID: 24849524
After hours and hours of battling this, I resolved it in my environment this morning. Here's what I did:

Taken from:
PXE response policy. This policy, which defines how to respond to client network boot requests, is stored on the servers SCP. Configuring these settings requires read and write permissions to the SCP object.

To grant permissions to the SCP object

Open Active Directory Users and Computers.

Click View, and then click Advanced Features (if it is not already enabled).

Right click the computer account for you Windows Deployment Services server, and click Properties. (In my case its the DC)

On the Remote Install tab, select Advanced Settings&

Select the Security tab, and click Add&

Select the user or group, (administrator) and then select Full Control on this object.

Let me know if this works for you!!! I'm very curious and hope you can benefit from this.
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 24868597
Okay, tried your SCP permissions fix but sadly it hasn't helped in my case. Have got an external HDD on order with our supplier so I'll try recreating the RemoteInstall folder on there when it arrives.



Expert Comment

ID: 24869035
That's a bummer. The other thing besides moving RemoteInstall off of system volume was to check permissions on the mgmt dir where the database lives. (See attached)
I will try to backtracking everything I did to see if theres anything else along the way.



Author Comment

ID: 25034294
Sorry for the long delay, was waiting for the external HDD to arrive from our supplier. I've re-setup WDS with all the related folders (including RemoteInstall) on the drive but it hasn't helped the issue.

ryank1, I've also checked the NTFS permissions on that folder and have given the Domain Admins group as well as the network admin account and system account full access. Anything I'm missing?

Expert Comment

ID: 25034632
When you gave them "full access" did you do that from the security tab of the computer object? I made this mistake initially. It actually needs to be changed under the remote install tab, under advanced. Here's where you should check:

Author Closing Comment

ID: 31600549
Hi ryank1,

Thanks for your hard work on this, I've actually manged to resolve it. You were very close with the SCP object stuff. In fact the solution was on the same site you linked me to! (

Here is what I missed, I had assumed giving the server's computer account full access to the Computer OU would be enough. Apparently not...

To grant permissions to approve a pending computer

Open Active Directory Users and Computers.

Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control.

On the first screen of the wizard, click Next.

Change the object type to include computers.

Add the computer object of the Windows Deployment Services server, and then click Next.

Select Create a Custom task to delegate.

Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next.

In the Permissions box, select the Write all Properties check box, and click Finish.

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Questions about DHCP migration 5 61
Windows 2012 PKI in a hybrid org 3 48
Office 2016 GPOs in Server 2012R2 5 27
Lync 2010 4 25
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question