Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Access Denied when approving Pending Devices in Windows Deployment Services

Posted on 2009-07-07
Medium Priority
Last Modified: 2013-12-12
I've recently setup Windows Deployment Services on our secondary domain controller Windows Server 2003 box. The server also performs DHCP and DNS server roles.

Everything is working great except for the approval of Pending Devices. I've set the PXE Response Settings in WDS to 'Respond to all (known and unknown) client computers' with the 'For unknown clients, notify administrator and respond after approval' box checked.

Problem is when I try to 'Name and Approve' or 'Approve' a device I get the following error...

Pending Device

Access is denied.

...the Directory Services tab is configured to add accounts to 'The following location:' which is set to our default OU for computer accounts. The server, network admin account (which I'm using to RDP the WDS server) and the domain admins group all have full control to that OU.

I can add new computers to that OU using the Active Directory Users and Computers snap in on the WDS server and also using the DSADD COMPUTER command line tool.

I've googled the hell out of this issue but can only find solutions regarding permissions on the OU (which I've pretty much ruled out given the above) or different languges between severs (both primary DC and the secondary DC/WDS server are set to UK English.

Very confused, would love to get this working though!


Question by:ISGJackson08
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4

Expert Comment

ID: 24844199
I have the exact scenario listed here, Single DC with DNS, DHCP, WDS roles installed. Windows Server 2003 SP2.

The one piece of advice that I found, said to move the RemoteInstall directory from the system volume to another. Ran "wdsutil /uninitialize-server" then Moved the remoteinstall directory to another drive.Then ran "wdsutil /initialize-server /reminst:E:\RemoteInstall"

Error persists. I'm going to remove the role and readd it next. No idea what's causing this otherwise. I will post when I find something.

Did that to no avail.

Author Comment

ID: 24847888
Hi ryank1,

That's very interesting actually, my folders are also on the system volume. During the initial install it did warn me that it's best practice not to install it on the system volume, but it's a single partition system. I also tried installing it on a network drive but that failed, I didn't make a note of the error.

Since I haven't done much configuring yet I'll try and rip out WDS and re-install it, perhaps on an external HDD if there is one laying around.

Cheers for your thoughts.

Accepted Solution

ryank1 earned 2000 total points
ID: 24849524
After hours and hours of battling this, I resolved it in my environment this morning. Here's what I did:

Taken from:
PXE response policy. This policy, which defines how to respond to client network boot requests, is stored on the servers SCP. Configuring these settings requires read and write permissions to the SCP object.

To grant permissions to the SCP object

Open Active Directory Users and Computers.

Click View, and then click Advanced Features (if it is not already enabled).

Right click the computer account for you Windows Deployment Services server, and click Properties. (In my case its the DC)

On the Remote Install tab, select Advanced Settings&

Select the Security tab, and click Add&

Select the user or group, (administrator) and then select Full Control on this object.

Let me know if this works for you!!! I'm very curious and hope you can benefit from this.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 24868597
Okay, tried your SCP permissions fix but sadly it hasn't helped in my case. Have got an external HDD on order with our supplier so I'll try recreating the RemoteInstall folder on there when it arrives.



Expert Comment

ID: 24869035
That's a bummer. The other thing besides moving RemoteInstall off of system volume was to check permissions on the mgmt dir where the database lives. (See attached)
I will try to backtracking everything I did to see if theres anything else along the way.



Author Comment

ID: 25034294
Sorry for the long delay, was waiting for the external HDD to arrive from our supplier. I've re-setup WDS with all the related folders (including RemoteInstall) on the drive but it hasn't helped the issue.

ryank1, I've also checked the NTFS permissions on that folder and have given the Domain Admins group as well as the network admin account and system account full access. Anything I'm missing?

Expert Comment

ID: 25034632
When you gave them "full access" did you do that from the security tab of the computer object? I made this mistake initially. It actually needs to be changed under the remote install tab, under advanced. Here's where you should check:

Author Closing Comment

ID: 31600549
Hi ryank1,

Thanks for your hard work on this, I've actually manged to resolve it. You were very close with the SCP object stuff. In fact the solution was on the same site you linked me to! (

Here is what I missed, I had assumed giving the server's computer account full access to the Computer OU would be enough. Apparently not...

To grant permissions to approve a pending computer

Open Active Directory Users and Computers.

Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control.

On the first screen of the wizard, click Next.

Change the object type to include computers.

Add the computer object of the Windows Deployment Services server, and then click Next.

Select Create a Custom task to delegate.

Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next.

In the Permissions box, select the Write all Properties check box, and click Finish.

Featured Post

Build and deliver software with DevOps

A digital transformation requires faster time to market, shorter software development lifecycles, and the ability to adapt rapidly to changing customer demands. DevOps provides the solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question