|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Delegate ad workstations to domaini am running in a windows 2003 native mode domain, all DC's are windows 2008 except for one, i have 4 DC's. I have configured the default domain GPO so the help desk staff can add workstations to the domain, and i have also delegated rights on the OU to the help desk staff so they can create and delete computer objects. The help desk staff is able to add workstations to the domain, but i am noticing somehting very strange. This is what is going on help desk staff adds's MachineY to the domain, MachineY gets removed from the domain and the object gets delted out of AD. Force AD replication. Help desk staff attepts to readd MachineY to the domain, but gets error message (access denied) If the help desk staff renames the machine to MachineB help desk staff can add machine to the domain successfuly. I created a new account and added the account to the help desk AD group, i then used this account to add a machine to the domain that had previouly been added, but removed and detled out of AD. I was successful in adding it to the domain. This issue to me smells like AD is allowing a certain number of machines to be added to the domain by a user account, otherwise i would have seen the same error message when adding the machine to the domain using my test account. Is there a way to increase the number of computer objects users can add to the domain? ms-DS-MachineAccountQuota controls a number of computer accounts which can
be created by Authenticated Users (more info at http://support.microsoft.com/kb/243327), however, as far as I can tell, its value does not play a role in the scenario you are describing (since in your case, the process is based on custom AD permissions limited to a specific group). Instead, it is more likely that the http://support.microsoft.com/kb/329195 contains the resolution to your problem... hth Marcin Show quoteHide quote "skip" <shofm***@kbb.com> wrote in message news:4012A0C1-54B7-43EB-BECD-F2B528C2A5B9@microsoft.com... > Hello all > > i am running in a windows 2003 native mode domain, all DC's are windows > 2008 except for one, i have 4 DC's. I have configured the default domain > GPO so the help desk staff can add workstations to the domain, and i have > also delegated rights on the OU to the help desk staff so they can create > and delete computer objects. The help desk staff is able to add > workstations to the domain, but i am noticing somehting very strange. This > is what is going on > > help desk staff adds's MachineY to the domain, MachineY gets removed from > the domain and the object gets delted out of AD. Force AD replication. > Help desk staff attepts to readd MachineY to the domain, but gets error > message (access denied) If the help desk staff renames the machine to > MachineB help desk staff can add machine to the domain successfuly. I > created a new account and added the account to the help desk AD group, i > then used this account to add a machine to the domain that had previouly > been added, but removed and detled out of AD. I was successful in adding > it to the domain. > > This issue to me smells like AD is allowing a certain number of machines > to be added to the domain by a user account, otherwise i would have seen > the same error message when adding the machine to the domain using my test > account. Is there a way to increase the number of computer objects users > can add to the domain? I got this working. I used adsiedit found the OU that the workstations get
added into when added to the domain, right clicked properties security advanced highlighted the help desk group, clicked edit, and selected "write all properties" "Allow" The help desk group already had create and delete computer objects, so it seems the group needed the write all properties permission. This issue didnt have anything to do with AD replication. Again this was the issue Help desk staff adds computer account to the domain. Help desk stafff removes machine from the domain and deltes the computer object from AD. Help desk staff waits 1 hour before trying to add the machine back to the domain. Help desk staff attempts to add machine back to the domain and gets "access denied" If help desk staff changes the name of the machine, they can add the machine to the domain. Setting the "write all properties" permission seems to have fixed this issue Show quoteHide quote "Marcin" <marcin@community.nospam> wrote in message news:%23mZKJ4%23qJHA.1748@TK2MSFTNGP05.phx.gbl... > ms-DS-MachineAccountQuota controls a number of computer accounts which can > be created by Authenticated Users (more info at > http://support.microsoft.com/kb/243327), however, as far as I can tell, > its value does not play a role in the scenario you are describing (since > in your case, the process is based on custom AD permissions limited to a > specific group). Instead, it is more likely that the > http://support.microsoft.com/kb/329195 contains the resolution to your > problem... > > hth > Marcin > > "skip" <shofm***@kbb.com> wrote in message > news:4012A0C1-54B7-43EB-BECD-F2B528C2A5B9@microsoft.com... >> Hello all >> >> i am running in a windows 2003 native mode domain, all DC's are windows >> 2008 except for one, i have 4 DC's. I have configured the default domain >> GPO so the help desk staff can add workstations to the domain, and i have >> also delegated rights on the OU to the help desk staff so they can create >> and delete computer objects. The help desk staff is able to add >> workstations to the domain, but i am noticing somehting very strange. >> This is what is going on >> >> help desk staff adds's MachineY to the domain, MachineY gets removed from >> the domain and the object gets delted out of AD. Force AD replication. >> Help desk staff attepts to readd MachineY to the domain, but gets error >> message (access denied) If the help desk staff renames the machine to >> MachineB help desk staff can add machine to the domain successfuly. I >> created a new account and added the account to the help desk AD group, i >> then used this account to add a machine to the domain that had previouly >> been added, but removed and detled out of AD. I was successful in adding >> it to the domain. >> >> This issue to me smells like AD is allowing a certain number of machines >> to be added to the domain by a user account, otherwise i would have seen >> the same error message when adding the machine to the domain using my >> test account. Is there a way to increase the number of computer objects >> users can add to the domain? > > Hi
read this: http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx -- Show quoteHide quoteI hope that the information above helps you. Have a Nice day. Jorge Silva MVP Directory Services "skip" <shofm***@kbb.com> wrote in message news:4012A0C1-54B7-43EB-BECD-F2B528C2A5B9@microsoft.com... > Hello all > > i am running in a windows 2003 native mode domain, all DC's are windows > 2008 except for one, i have 4 DC's. I have configured the default domain > GPO so the help desk staff can add workstations to the domain, and i have > also delegated rights on the OU to the help desk staff so they can create > and delete computer objects. The help desk staff is able to add > workstations to the domain, but i am noticing somehting very strange. This > is what is going on > > help desk staff adds's MachineY to the domain, MachineY gets removed from > the domain and the object gets delted out of AD. Force AD replication. > Help desk staff attepts to readd MachineY to the domain, but gets error > message (access denied) If the help desk staff renames the machine to > MachineB help desk staff can add machine to the domain successfuly. I > created a new account and added the account to the help desk AD group, i > then used this account to add a machine to the domain that had previouly > been added, but removed and detled out of AD. I was successful in adding > it to the domain. > > This issue to me smells like AD is allowing a certain number of machines > to be added to the domain by a user account, otherwise i would have seen > the same error message when adding the machine to the domain using my test > account. Is there a way to increase the number of computer objects users > can add to the domain? Hello skip,
See this article: http://support.microsoft.com/kb/243327/en-us And this one to readd an existing computer object, reinstall computer without deleting in AD for example: http://support.microsoft.com/kb/932455 The problem is that the computer account password reset has to be delegated additional. Also you should not change the default domain or domain controller policy, better create a new policy on the same level. This makes it easier in case of failures to go back to the default policies. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hello all > > i am running in a windows 2003 native mode domain, all DC's are > windows 2008 except for one, i have 4 DC's. I have configured the > default domain GPO so the help desk staff can add workstations to the > domain, and i have also delegated rights on the OU to the help desk > staff so they can create and delete computer objects. The help desk > staff is able to add workstations to the domain, but i am noticing > somehting very strange. This is what is going on > > help desk staff adds's MachineY to the domain, MachineY gets removed > from the domain and the object gets delted out of AD. Force AD > replication. Help desk staff attepts to readd MachineY to the domain, > but gets error message (access denied) If the help desk staff renames > the machine to MachineB help desk staff can add machine to the domain > successfuly. I created a new account and added the account to the help > desk AD group, i then used this account to add a machine to the domain > that had previouly been added, but removed and detled out of AD. I was > successful in adding it to the domain. > > This issue to me smells like AD is allowing a certain number of > machines to be added to the domain by a user account, otherwise i > would have seen the same error message when adding the machine to the > domain using my test account. Is there a way to increase the number of > computer objects users can add to the domain? >  
Thread options
Other interesting topics
changing domain name
Is this the last step we need to do? Do Child DC's need unrestricted IP access to Root DC's? After 2000 to 2003 upgrade sysvol is not accessable Manually removing cert server from AD DNS/DHCP problem while migrating computers using ADMT Validation for 2000 to 2003 upgrade DC's not Replicating ADAM UserProxy Authentication (Which Domain Controller?) Way to set using Active Directory, which ports for remote desktop? |
|||||||||||||||||||||||
