RE: [ActiveDir] strange thing...
Don't worry about how the permissions are being displayed. The GUI will try and display the permissions based on how the ACEs are configured. An ACE can not have both CREATE Computer Objects and Read Permissions, the ACE structures don't work that way, they would have to be separate ACEs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Wednesday, June 09, 2004 2:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Hi, In fact what happen is that it create 2 distinct items under the advanced button. It's like the perms being cut into 2 categories. I have the first object (the technician group) which has List contents Read all properties Read permissions And a second one lower at the bottom of the list where there are Create computer objects Delete computer objects I tried to put the Create computer objects and Delete computer objects on the first one and delete the second, but I revert to the same setting. It's removing the computer objects from the first in the list to recreate a second in the list. I don't know if this can help you but if you prefer I can send you PrinScreens off list Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rutherford, Robert Envoyé : Wednesday, June 09, 2004 10:55 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the "real gurus" of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called "technicians" and I gave the user right "add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
This thread seems confusing to me and doesn't seem to have all of the information. Questions: 1. You say "added the technician group to the computers OU" When you say that do you mean you added the Technicians group the ACL of the Computers container (i.e. CN=COMPUTERS) or did you create an OU for computers or other? 2. You say "The problem is that when I set these, everything works fine." When you say that do you mean that it sets ok and that is fine or that you set it and test it with the group and the group at that point in time is fine. Robert asked the same question but you glossed over it and didn't answer. 3. You say "To fix the issue temporarily, " Did this tempory fix work? 4. Are the accounts precreated or are the techs simply joining a new machine straight to the domain? 5. How are the techs doing the join? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Wednesday, June 09, 2004 10:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the "real gurus" of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called "technicians" and I gave the user right "add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
Hi, I did recheck that and the result is that the group is listed in there, and under the "local policy setting" there is no check in the box but there is one under the "effective policy setting" column So the problem should be elsewhere. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Passo, Larry Envoyé : Wednesday, June 09, 2004 2:50 PM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Go to one of your DCs, then run: Start...Programs...Administrative Tools...Local Security Policies Then under: Local Policies...User Rights Assigments What is the value for the "Add workstations to domain" user right? If the technician group is missing, then another GPO is overriding that setting. -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Hi, This user right has been set into the Default Domain Controller policy. I simply added the group "technician" in there. There was already administrators and domain admins in there. Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Passo, Larry Envoyé : Wednesday, June 09, 2004 11:04 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Do you have a GPO that is specifying that specific user right? You can check with GPRESULT.EXE -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the "real gurus" of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called "technicians" and I gave the user right "add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.actived
RE: [ActiveDir] strange thing...
Go to one of your DCs, then run: Start...Programs...Administrative Tools...Local Security Policies Then under: Local Policies...User Rights Assigments What is the value for the "Add workstations to domain" user right? If the technician group is missing, then another GPO is overriding that setting. -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Hi, This user right has been set into the Default Domain Controller policy. I simply added the group "technician" in there. There was already administrators and domain admins in there. Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Passo, Larry Envoyé : Wednesday, June 09, 2004 11:04 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Do you have a GPO that is specifying that specific user right? You can check with GPRESULT.EXE -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the "real gurus" of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called "technicians" and I gave the user right "add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
Hi, This user right has been set into the Default Domain Controller policy. I simply added the group "technician" in there. There was already administrators and domain admins in there. Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Passo, Larry Envoyé : Wednesday, June 09, 2004 11:04 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Do you have a GPO that is specifying that specific user right? You can check with GPRESULT.EXE -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the "real gurus" of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called "technicians" and I gave the user right "add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
Hi, In fact what happen is that it create 2 distinct items under the advanced button. It's like the perms being cut into 2 categories. I have the first object (the technician group) which has List contents Read all properties Read permissions And a second one lower at the bottom of the list where there are Create computer objects Delete computer objects I tried to put the Create computer objects and Delete computer objects on the first one and delete the second, but I revert to the same setting. It's removing the computer objects from the first in the list to recreate a second in the list. I don't know if this can help you but if you prefer I can send you PrinScreens off list Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rutherford, Robert Envoyé : Wednesday, June 09, 2004 10:55 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the "real gurus" of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called "technicians" and I gave the user right "add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
Do you have a GPO that is specifying that specific user right? You can check with GPRESULT.EXE -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the "real gurus" of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called "technicians" and I gave the user right "add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the "real gurus" of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called "technicians" and I gave the user right "add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] strange thing...
Hi all, It's my first post here. I've been referred here and been told that you guys were the "real gurus" of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called "technicians" and I gave the user right "add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
