Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Windows Delegation of Control not working

Posted on 2011-02-22
5
Medium Priority
?
679 Views
Last Modified: 2012-05-11
I am currently using windows server 2003 servers with Active Directory in Windows 2000 mixed functional level.

I recently took away domain admin privileges to all my IT staff, and now they are only domain users, just like any other regular user. I am trying to delegate control to them to the entire domain and allow them to add a computer to the domain.

I have a global security group created to which all IT staff members are members of.

So, I right click the root domain, and click delegate control, then I pick my IT security group, then I choose the option "Join a computer to the domain", then finish.

When anyone of my IT staff members tries to add a computer to the domain, it gives them an access denied. This is all done from the computer they are trying to add to the domain itself, they are not going into AD and adding the computer there.

Any advise?
0
Comment
Question by:cpadilla1
  • 3
5 Comments
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 34959771
It is not a good idea to set these permissions at the root level and i am not even sure how it is supposed to behave because I have not ever done it that way

I would delegate this right to the default "computers" container and also to any other OU they might need to move computers into, also if selecting the advanced view you can use the security tab to modify the permissions on a container/OU rather than using the wizard.



0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34960099
Since you have 2000 you may have to do this at that root since the default for new computers is the Computers container, I can not remember and do not have 2000 to test. With 2003 you can redirect the default for the new computer objects to an OU and set the permissions on that OU. You also need to set the GPO to give that group the proper rights.

http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

http://support.microsoft.com/kb/324949
0
 

Author Comment

by:cpadilla1
ID: 35022167
Ok, so following the instructions on the link provided by KenMcF, I was able to get this working to some extent.

My IT department can now add and remove computers to the domain, I only delegated control to the Computers container, and the OUs to which computers get moved to afterward, but now here is the new issue.

If user A adds a computer to the domain, and that computer is removed from the domain and joined back to a workgroup, nobody else but user A can add that computer to the domain again.

Anybody can remove the computer from the domain, and it doesn't matter who removes it, they are not able to add back to the domain, except for the original user who joined in the first place.

And this is the same scenario for any user (B, C, D, etc).

Any thoughts?
0
 

Accepted Solution

by:
cpadilla1 earned 0 total points
ID: 35741992
Found the solution to my problem, on this MS article.

http://support.microsoft.com/kb/932455

0
 

Author Closing Comment

by:cpadilla1
ID: 35767656
Self found answer.
Followed KB article and figured out what I was doing wrong.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question