Access Denied when joining a AD after changing rights on system32/config

Deny the local users group write/delete on %SystemRoot%\System32\config
(see attached image)

Try to join computer to the domain using a domain admin account I get "Access Denied", the computer object is created but disabled, (happens also if I create the computer object ahead of time).

Just wondering if someone could explain why this happens. Thanks

Also, the netsetup.log is attached.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSenior Systems AdminCommented:
You'll want to get rid of the denies on the Users group. Deny's take precedence over Allows, so it will deny access to all Users, and Domain Admins are typically members of the User group as well.
UDFAuthor Commented:

Just to clarify those are the local accounts.  So when I try to add it to the domain, domain Admins are considered to be part of the local users group?

The denies were added for compliance btw, we use configuration software that "suggest" changes based on your compliance needs (in this case PCI DSS) and one of the changes was to setup the rights on the local user group  as such.
Adam BrownSenior Systems AdminCommented:
Domain Admins are members of both the Domain Admins group and the Domain Users group. By default, the Domain Users group is part of the Local Users group, so setting Deny access for the Local Users group Denies everyone in the domain access to the folder. If you were to make this change *after* adding the computer to the Domain, it would probably be okay, but doing so before is probably preventing the computer from being able to make the configuration changes necessary to join the Domain. To test that theory, I'd suggest removing those denies and attempting to add the computer again. If it works, set the Denies in. If not, let me know and we can keep digging.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

Unless you've changed the Domain Admin's primary group to just Domain Admins, by default every user created becomes a member of Domain Users, which is in turn a member of local users (BUILTIN).
UDFAuthor Commented:


Yep, already tested that part it works exactly as you described.

The computer is added, gpo applied, then removed to the domain (every step works fine).  Attempt to rejoin you encounter a problem (sort of where the problem showed up, vmware template of a server with the changes applied).  If you change the NTFS permission you can then add it again, pretty much knew it was the denies causing the issues at that point.   Now I know the chain of how Domain Admins fall underneath the local users group and hit the denies that wasn't very clear to me.  

Do you know roughly what is going on in the config folder when you join the domain?

Adam BrownSenior Systems AdminCommented:
That's where the registry files are located so...pretty much everything computer side on a domain join is in that folder. You don't need to have a Deny privilege set on that folder, you just need to make sure users don't have write access to the folder.
UDFAuthor Commented:
acbrown2010 & grantsewell explained why domain admins group falls under builtin local users group
UDFAuthor Commented:

Yeah, was changed because the compliance scanning software explicitly checks for the denies.  I will change it back and add notes about it.

...the registry files...  that would pretty much wrap up the explanation.  Thanks.
Adam BrownSenior Systems AdminCommented:
The sad thing about compliance software is that it is always written by programmers. As we both know, Programmers and Admins don't go to the same parties :D
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.