I agree with many of the other posts here –
a domain level is likely the correct area to do this, simply because the usual
location for a joined computer is the Computers Container – not an OU.
If they don’t have access to the container, then they aren’t going
to be able to join them.
What is the scope of the delegated
permissions? Is it ‘This object and all child objects’? Also, I
think that I’d create a new delegation in the Advanced properties of the AD
Securities tab (it might exist – if you aren’t used to using the
Advanced view of Security in AD, you won’t see it) for the techs. This
time, however – you are going to want to select Computer Objects from the
dropdown, then select ‘Full Control’ for the techs. Save this.
If you don’t have a clear idea on
how to proceed, reply back. I’ll send or post detailed instructions with
pictures, if necessary, on how to do exactly what you want.
-rtk
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Tuesday, May 17, 2005 2:15
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
delegation not working on Win2k AD
Hi,
Thanks for the hint, but I did it too…
Here are the settings I have. In the user
rights the group technicians is allowed to add computers to the domain.
I also have the following perms on the
“Computers” OU
List content
Read all properties
Write all properties
Read permissions
Create computer objects
Delete computer objects
Read Container info
Write container info
Read heuristics
Write heuristics
I used the delegation wizard on the
domain, not on the OU.
Is there anything else I’m missing?
Thanks
De :
TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN
Envoyé : Tuesday, May 17,
2005 2:23 PM
À : ActiveDir@mail.activedir.org;
Bruyere, Michel
Objet : RE : [ActiveDir]
delegation not working on Win2k AD
Hello ;-)
If You
want to delegate creation of computers for a subset of users, you may have to
create a security groups (ie:technicians group), then go to the "Default
domain controller policy" on "Domain Controllers" OU, and not on
the "Default Domain Policy" of your Domain root.
Add your
group to "Join computer to the domain". Notice that you have already
security objects such as authenticated users: remove this group if necessary.
Then
your users will have the rights to join computers to domain: those will
appear by default in "Computers" container.
Cheers,
Yann TIROA
I would
run the delegation wizard at the Domain.com level and delegate the
Join a computer to the domain permission instead of creating a GPO. By
using the wizard it grants the Create Computer Objects permission on This
object and all child objects.
Setting this permission at the OU level will allow the user to move
computer objects between OU's but not join computers to the domain.
Chris Ryan
The Kroger Company
[EMAIL PROTECTED]
Office (513) 698-1935
Cell (513) 623-5362
"Mark
Parris"
<[EMAIL PROTECTED]
it.co.uk>
To
Sent
by:
ActiveDir@mail.activedir.org
[EMAIL PROTECTED]
cc
ail.activedir.org
Subject
Re: [ActiveDir] delegation not
05/17/2005
12:25 working on Win2k
AD
PM
Please
respond
to
[EMAIL PROTECTED]
tivedir.org
I was under the impression that the setting in the GPO " add workstations
to a domain" was the legacy way of granting such permissions and the
correct way was on an OU where the accounts would live would be to grant
create and delete computer objects and then grant full control to those
objects.
Regards
Mark
-----Original Message-----
From: "Medeiros, Jose" <[EMAIL PROTECTED]>
Date: Mon, 16 May 2005 13:44:26
To:<ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] delegation not working on Win2k AD
Hi Michael,
By default everyone in the domain can join up to 10 computers. My only
thought is that you may have inadvertnly configured the wrong setting and
after they added the 10 machines they are now be denied the right to do so.
The corerect seeting is " add workstations to a domain ".
Sincerely,
Jose Medeiros
Former Vice President and Postmaster NTEA
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org
------------------------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Bruyere, Michel
Sent: Monday, May 16, 2005 11:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] delegation not working on Win2k AD
Hi,
I used
the delegation wizard to delegate the "join computer to
the domain" task to the technicians group. Everything worked fine until
today. For no apparent reasons, it gives an access denied to the
technicians group members when they try to join a computer to the
domain. Nothing has changed on the system, I mean manually.
When I go into the security tab, I can see that they have the right to
create computer objects.
I tried to use the delegation wizard again, but still no go.
Ideas anyone?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
