Solved

Windows Delegation of Control not working

Posted on 2011-02-22
5
627 Views
Last Modified: 2012-05-11
I am currently using windows server 2003 servers with Active Directory in Windows 2000 mixed functional level.

I recently took away domain admin privileges to all my IT staff, and now they are only domain users, just like any other regular user. I am trying to delegate control to them to the entire domain and allow them to add a computer to the domain.

I have a global security group created to which all IT staff members are members of.

So, I right click the root domain, and click delegate control, then I pick my IT security group, then I choose the option "Join a computer to the domain", then finish.

When anyone of my IT staff members tries to add a computer to the domain, it gives them an access denied. This is all done from the computer they are trying to add to the domain itself, they are not going into AD and adding the computer there.

Any advise?
0
Comment
Question by:cpadilla1
  • 3
5 Comments
 
LVL 24

Expert Comment

by:MojoTech
Comment Utility
It is not a good idea to set these permissions at the root level and i am not even sure how it is supposed to behave because I have not ever done it that way

I would delegate this right to the default "computers" container and also to any other OU they might need to move computers into, also if selecting the advanced view you can use the security tab to modify the permissions on a container/OU rather than using the wizard.



0
 
LVL 27

Expert Comment

by:KenMcF
Comment Utility
Since you have 2000 you may have to do this at that root since the default for new computers is the Computers container, I can not remember and do not have 2000 to test. With 2003 you can redirect the default for the new computer objects to an OU and set the permissions on that OU. You also need to set the GPO to give that group the proper rights.

http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

http://support.microsoft.com/kb/324949
0
 

Author Comment

by:cpadilla1
Comment Utility
Ok, so following the instructions on the link provided by KenMcF, I was able to get this working to some extent.

My IT department can now add and remove computers to the domain, I only delegated control to the Computers container, and the OUs to which computers get moved to afterward, but now here is the new issue.

If user A adds a computer to the domain, and that computer is removed from the domain and joined back to a workgroup, nobody else but user A can add that computer to the domain again.

Anybody can remove the computer from the domain, and it doesn't matter who removes it, they are not able to add back to the domain, except for the original user who joined in the first place.

And this is the same scenario for any user (B, C, D, etc).

Any thoughts?
0
 

Accepted Solution

by:
cpadilla1 earned 0 total points
Comment Utility
Found the solution to my problem, on this MS article.

http://support.microsoft.com/kb/932455

0
 

Author Closing Comment

by:cpadilla1
Comment Utility
Self found answer.
Followed KB article and figured out what I was doing wrong.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now