Solved

Windows Delegation of Control not working

Posted on 2011-02-22
5
666 Views
Last Modified: 2012-05-11
I am currently using windows server 2003 servers with Active Directory in Windows 2000 mixed functional level.

I recently took away domain admin privileges to all my IT staff, and now they are only domain users, just like any other regular user. I am trying to delegate control to them to the entire domain and allow them to add a computer to the domain.

I have a global security group created to which all IT staff members are members of.

So, I right click the root domain, and click delegate control, then I pick my IT security group, then I choose the option "Join a computer to the domain", then finish.

When anyone of my IT staff members tries to add a computer to the domain, it gives them an access denied. This is all done from the computer they are trying to add to the domain itself, they are not going into AD and adding the computer there.

Any advise?
0
Comment
Question by:cpadilla1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 34959771
It is not a good idea to set these permissions at the root level and i am not even sure how it is supposed to behave because I have not ever done it that way

I would delegate this right to the default "computers" container and also to any other OU they might need to move computers into, also if selecting the advanced view you can use the security tab to modify the permissions on a container/OU rather than using the wizard.



0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34960099
Since you have 2000 you may have to do this at that root since the default for new computers is the Computers container, I can not remember and do not have 2000 to test. With 2003 you can redirect the default for the new computer objects to an OU and set the permissions on that OU. You also need to set the GPO to give that group the proper rights.

http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

http://support.microsoft.com/kb/324949
0
 

Author Comment

by:cpadilla1
ID: 35022167
Ok, so following the instructions on the link provided by KenMcF, I was able to get this working to some extent.

My IT department can now add and remove computers to the domain, I only delegated control to the Computers container, and the OUs to which computers get moved to afterward, but now here is the new issue.

If user A adds a computer to the domain, and that computer is removed from the domain and joined back to a workgroup, nobody else but user A can add that computer to the domain again.

Anybody can remove the computer from the domain, and it doesn't matter who removes it, they are not able to add back to the domain, except for the original user who joined in the first place.

And this is the same scenario for any user (B, C, D, etc).

Any thoughts?
0
 

Accepted Solution

by:
cpadilla1 earned 0 total points
ID: 35741992
Found the solution to my problem, on this MS article.

http://support.microsoft.com/kb/932455

0
 

Author Closing Comment

by:cpadilla1
ID: 35767656
Self found answer.
Followed KB article and figured out what I was doing wrong.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question