Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows Delegation of Control not working

Posted on 2011-02-22
5
Medium Priority
?
676 Views
Last Modified: 2012-05-11
I am currently using windows server 2003 servers with Active Directory in Windows 2000 mixed functional level.

I recently took away domain admin privileges to all my IT staff, and now they are only domain users, just like any other regular user. I am trying to delegate control to them to the entire domain and allow them to add a computer to the domain.

I have a global security group created to which all IT staff members are members of.

So, I right click the root domain, and click delegate control, then I pick my IT security group, then I choose the option "Join a computer to the domain", then finish.

When anyone of my IT staff members tries to add a computer to the domain, it gives them an access denied. This is all done from the computer they are trying to add to the domain itself, they are not going into AD and adding the computer there.

Any advise?
0
Comment
Question by:cpadilla1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 34959771
It is not a good idea to set these permissions at the root level and i am not even sure how it is supposed to behave because I have not ever done it that way

I would delegate this right to the default "computers" container and also to any other OU they might need to move computers into, also if selecting the advanced view you can use the security tab to modify the permissions on a container/OU rather than using the wizard.



0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34960099
Since you have 2000 you may have to do this at that root since the default for new computers is the Computers container, I can not remember and do not have 2000 to test. With 2003 you can redirect the default for the new computer objects to an OU and set the permissions on that OU. You also need to set the GPO to give that group the proper rights.

http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

http://support.microsoft.com/kb/324949
0
 

Author Comment

by:cpadilla1
ID: 35022167
Ok, so following the instructions on the link provided by KenMcF, I was able to get this working to some extent.

My IT department can now add and remove computers to the domain, I only delegated control to the Computers container, and the OUs to which computers get moved to afterward, but now here is the new issue.

If user A adds a computer to the domain, and that computer is removed from the domain and joined back to a workgroup, nobody else but user A can add that computer to the domain again.

Anybody can remove the computer from the domain, and it doesn't matter who removes it, they are not able to add back to the domain, except for the original user who joined in the first place.

And this is the same scenario for any user (B, C, D, etc).

Any thoughts?
0
 

Accepted Solution

by:
cpadilla1 earned 0 total points
ID: 35741992
Found the solution to my problem, on this MS article.

http://support.microsoft.com/kb/932455

0
 

Author Closing Comment

by:cpadilla1
ID: 35767656
Self found answer.
Followed KB article and figured out what I was doing wrong.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question