I have a whole bunch of laptops which are currently being re-imaged at the moment. Once this process is complete the next step is to add them to the domain using a temporary account which I have delegated access to join machines to the domain but I am getting an error message:
“The Join Operation was not successfully. This could be because an existing computer having name “XXXXXXX” was previously created using a different set of credentials. Use a different computer name or contact your administrator to remove any stale conflicting account. To the error was Access is denied”
The laptop accounts are still in their respective OUs and I have deleted one of the computer objects from the domain assuming that it conflicts with the same laptop name which associates to a unique SID but unfortunately I still get the same issue.
I have no issue re-joining the laptop to the domain if I use my own account which has Domain Admin rights.
I delegated the following permissions:
- Create selected objects in this folder and Delete selected objects in this folder.
- Reset Password
- Read and write Account Restrictions
- Validated write to DNS host name
- Validated write to service principal name
Essentially I want to give this account the very minimal amount of permissions to simply re-add these computer accounts to the domain
If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.