RE: [ActiveDir] Problems Adding Computers to AD

Jacob Walker Mon, 01 Nov 2004 05:24:01 -0800

I have tried and tried to get a dsacls dump. But, our OU's have spaces and some dashes in them, and I cannot figure out how to make dsacls access the object path. I have tried all different combinations with quotes in multiple locations, and it won't work.

I do see this in the security event log on the DC the computer is trying to talk to when attempting to add it to the domain, but I'm not certain what it is telling me. Also, this is why I asked about the 'Add Workstation' user right:

Source:  Security
Category:  Privilege Use
Type:  Failure Aud
Event ID:  577

Description:
Privileged Service Called:
        Server:         Security Account Manager
        Service:                Security Account Manager
        Primary User Name:      BONHAD01$
        Primary Domain: CORP
        Primary Logon ID:       (0x0,0x3E7)
        Client User Name:       testcbp9
        Client Domain:  CORP
        Client Logon ID:        (0x0,0x499DA7A9)
        Privileges:     SeMachineAccountPrivilege

From: "joe" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] Problems Adding Computers to AD
Date: Fri, 29 Oct 2004 15:48:59 -0400

Nope, you do not have to give them the "right".

That should be working if everything is as you describe.

Could you give a dsacls dump of the computer object?


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
Sent: Friday, October 29, 2004 2:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Problems Adding Computers to AD

Well, I gave it full control, and it still cannot add the computer to the domain. Even though all of the delegated rights are there, and the computer object is already created, do you also have to modify the group policy to allow your 'computer add' groups the right to add computers to the domain? We don't want them adding computer objects anywhere other than where they have been granted delegated rights, though. And, we don't want them adding to the default Computer container. Do we have to do that?

>From: "joe" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: <[EMAIL PROTECTED]>
>Subject: RE: [ActiveDir] Problems Adding Computers to AD
>Date: Thu, 28 Oct 2004 16:30:12 -0400
>
>Yeah the issue I saw was specific to disjoint namespaces and the new
>functionality in K3 AD that was verifying the domain names of the hosts.
>
>I would be curious though, just for test, not for final solution if you
>went back to the created object and gave the group you mention FC of
>the computer object and see if it allows the join ok.
>
>   joe
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
>Sent: Thursday, October 28, 2004 3:54 PM
>To: [EMAIL PROTECTED]
>Subject: RE: [ActiveDir] Problems Adding Computers to AD
>
>Actually, we don't have a disjointed namespace.  They are specifying a
>group to which their userid is a member.  Then, they go to the PC to
>change it's domain.
>
> >From: "joe" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: <[EMAIL PROTECTED]>
> >Subject: RE: [ActiveDir] Problems Adding Computers to AD
> >Date: Thu, 28 Oct 2004 15:15:07 -0400
> >
> >Do you have a disjoint namespace?
> >
> >When they create the objects, what do they specify for who can join?
> >
> >
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
> >Sent: Thursday, October 28, 2004 1:18 PM
> >To: [EMAIL PROTECTED]
> >Subject: RE: [ActiveDir] Problems Adding Computers to AD
> >
> >Thank you, Joe.  We are implementing Windows Server 2003 AD.  Here
> >are the permissions we have assigned.  Any clue as to what critical
> >permission could be missing?
> >
> >This object and all child objects:
> >Create Computer Objects
> >
> >Computer Objects:
> >List Contents
> >Read All Properties
> >Write All Properties
> >Read Permissions
> >
> >-----Original Message-----
> >From: joe [mailto:[EMAIL PROTECTED]
> >Sent: Thursday, October 28, 2004 11:50 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: [ActiveDir] Problems Adding Computers to AD
> >
> >I have seen that with Windows Server 2003 AD if there aren't enough
> >permissions delegated to the person/group actually doing the join in
> >a disjointed namespace environment.
> >
> >   joe
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
> >Sent: Thursday, October 28, 2004 11:37 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: [ActiveDir] Problems Adding Computers to AD
> >
> >Thanks, but nothing there really seems to help.  It's strange.  When
> >we look at the computer account in the domain, it also ends up
> >disabling it.
> >
> >-----Original Message-----
> >From: Jacob Walker [mailto:[EMAIL PROTECTED]
> >Sent: Tuesday, October 26, 2004 4:34 PM
> >To: [EMAIL PROTECTED]
> >Subject: [ActiveDir] Problems Adding Computers to AD
> >
> >We've delegate the permission to add computer accounts to our AD
> >environment
> >
> >to some admins.  They can go into ADUC and add the computer account
> >without problem.  However, when they go to the PC to change it's
> >domain membership, on some PC's they get an error about not enough
> >storage space.  But, some PC's work fine.  We cannot determine why
> >this is
>happening.  Any ideas?
> >
> >_________________________________________________________________
> >Check out Election 2004 for up-to-date election news, plus voter
> >tools and more! http://special.msn.com/msn/election2004.armx
> >
> >List info   : http://www.activedir.org/mail_list.htm
> >List FAQ    : http://www.activedir.org/list_faq.htm
> >List archive:
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >List info   : http://www.activedir.org/mail_list.htm
> >List FAQ    : http://www.activedir.org/list_faq.htm
> >List archive:
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>_________________________________________________________________
>Check out Election 2004 for up-to-date election news, plus voter tools
>and more! http://special.msn.com/msn/election2004.armx
>
>List info   : http://www.activedir.org/mail_list.htm
>List FAQ    : http://www.activedir.org/list_faq.htm
>List archive:
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>List info   : http://www.activedir.org/mail_list.htm
>List FAQ    : http://www.activedir.org/list_faq.htm
>List archive:
>http://www.mail-archive.com/activedir%40mail.activedir.org/

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and
more! http://special.msn.com/msn/election2004.armx

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

_________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar – get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Problems Adding Computers to AD

Reply via email to