Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows Delegation of Control not working

Posted on 2011-02-22
5
Medium Priority
?
677 Views
Last Modified: 2012-05-11
I am currently using windows server 2003 servers with Active Directory in Windows 2000 mixed functional level.

I recently took away domain admin privileges to all my IT staff, and now they are only domain users, just like any other regular user. I am trying to delegate control to them to the entire domain and allow them to add a computer to the domain.

I have a global security group created to which all IT staff members are members of.

So, I right click the root domain, and click delegate control, then I pick my IT security group, then I choose the option "Join a computer to the domain", then finish.

When anyone of my IT staff members tries to add a computer to the domain, it gives them an access denied. This is all done from the computer they are trying to add to the domain itself, they are not going into AD and adding the computer there.

Any advise?
0
Comment
Question by:cpadilla1
  • 3
5 Comments
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 34959771
It is not a good idea to set these permissions at the root level and i am not even sure how it is supposed to behave because I have not ever done it that way

I would delegate this right to the default "computers" container and also to any other OU they might need to move computers into, also if selecting the advanced view you can use the security tab to modify the permissions on a container/OU rather than using the wizard.



0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34960099
Since you have 2000 you may have to do this at that root since the default for new computers is the Computers container, I can not remember and do not have 2000 to test. With 2003 you can redirect the default for the new computer objects to an OU and set the permissions on that OU. You also need to set the GPO to give that group the proper rights.

http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

http://support.microsoft.com/kb/324949
0
 

Author Comment

by:cpadilla1
ID: 35022167
Ok, so following the instructions on the link provided by KenMcF, I was able to get this working to some extent.

My IT department can now add and remove computers to the domain, I only delegated control to the Computers container, and the OUs to which computers get moved to afterward, but now here is the new issue.

If user A adds a computer to the domain, and that computer is removed from the domain and joined back to a workgroup, nobody else but user A can add that computer to the domain again.

Anybody can remove the computer from the domain, and it doesn't matter who removes it, they are not able to add back to the domain, except for the original user who joined in the first place.

And this is the same scenario for any user (B, C, D, etc).

Any thoughts?
0
 

Accepted Solution

by:
cpadilla1 earned 0 total points
ID: 35741992
Found the solution to my problem, on this MS article.

http://support.microsoft.com/kb/932455

0
 

Author Closing Comment

by:cpadilla1
ID: 35767656
Self found answer.
Followed KB article and figured out what I was doing wrong.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question