Access Denied when approving Pending Devices in Windows Deployment Services

I've recently setup Windows Deployment Services on our secondary domain controller Windows Server 2003 box. The server also performs DHCP and DNS server roles.

Everything is working great except for the approval of Pending Devices. I've set the PXE Response Settings in WDS to 'Respond to all (known and unknown) client computers' with the 'For unknown clients, notify administrator and respond after approval' box checked.

Problem is when I try to 'Name and Approve' or 'Approve' a device I get the following error...

Pending Device

Access is denied.

...the Directory Services tab is configured to add accounts to 'The following location:' which is set to our default OU for computer accounts. The server, network admin account (which I'm using to RDP the WDS server) and the domain admins group all have full control to that OU.

I can add new computers to that OU using the Active Directory Users and Computers snap in on the WDS server and also using the DSADD COMPUTER command line tool.

I've googled the hell out of this issue but can only find solutions regarding permissions on the OU (which I've pretty much ruled out given the above) or different languges between severs (both primary DC and the secondary DC/WDS server are set to UK English.

Very confused, would love to get this working though!


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I have the exact scenario listed here, Single DC with DNS, DHCP, WDS roles installed. Windows Server 2003 SP2.

The one piece of advice that I found, said to move the RemoteInstall directory from the system volume to another. Ran "wdsutil /uninitialize-server" then Moved the remoteinstall directory to another drive.Then ran "wdsutil /initialize-server /reminst:E:\RemoteInstall"

Error persists. I'm going to remove the role and readd it next. No idea what's causing this otherwise. I will post when I find something.

Did that to no avail.
ISGJackson08Author Commented:
Hi ryank1,

That's very interesting actually, my folders are also on the system volume. During the initial install it did warn me that it's best practice not to install it on the system volume, but it's a single partition system. I also tried installing it on a network drive but that failed, I didn't make a note of the error.

Since I haven't done much configuring yet I'll try and rip out WDS and re-install it, perhaps on an external HDD if there is one laying around.

Cheers for your thoughts.
After hours and hours of battling this, I resolved it in my environment this morning. Here's what I did:

Taken from:
PXE response policy. This policy, which defines how to respond to client network boot requests, is stored on the servers SCP. Configuring these settings requires read and write permissions to the SCP object.

To grant permissions to the SCP object

Open Active Directory Users and Computers.

Click View, and then click Advanced Features (if it is not already enabled).

Right click the computer account for you Windows Deployment Services server, and click Properties. (In my case its the DC)

On the Remote Install tab, select Advanced Settings&

Select the Security tab, and click Add&

Select the user or group, (administrator) and then select Full Control on this object.

Let me know if this works for you!!! I'm very curious and hope you can benefit from this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ISGJackson08Author Commented:
Okay, tried your SCP permissions fix but sadly it hasn't helped in my case. Have got an external HDD on order with our supplier so I'll try recreating the RemoteInstall folder on there when it arrives.


That's a bummer. The other thing besides moving RemoteInstall off of system volume was to check permissions on the mgmt dir where the database lives. (See attached)
I will try to backtracking everything I did to see if theres anything else along the way.


ISGJackson08Author Commented:
Sorry for the long delay, was waiting for the external HDD to arrive from our supplier. I've re-setup WDS with all the related folders (including RemoteInstall) on the drive but it hasn't helped the issue.

ryank1, I've also checked the NTFS permissions on that folder and have given the Domain Admins group as well as the network admin account and system account full access. Anything I'm missing?
When you gave them "full access" did you do that from the security tab of the computer object? I made this mistake initially. It actually needs to be changed under the remote install tab, under advanced. Here's where you should check:
ISGJackson08Author Commented:
Hi ryank1,

Thanks for your hard work on this, I've actually manged to resolve it. You were very close with the SCP object stuff. In fact the solution was on the same site you linked me to! (

Here is what I missed, I had assumed giving the server's computer account full access to the Computer OU would be enough. Apparently not...

To grant permissions to approve a pending computer

Open Active Directory Users and Computers.

Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control.

On the first screen of the wizard, click Next.

Change the object type to include computers.

Add the computer object of the Windows Deployment Services server, and then click Next.

Select Create a Custom task to delegate.

Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next.

In the Permissions box, select the Write all Properties check box, and click Finish.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.