RE: [ActiveDir] delegation not working on Win2k AD
Title: Re: [ActiveDir] delegation not working on Win2k AD I wonder if something is just ‘broken’ (and missed) as you’ve been making changes. It sounds like everything is in place correctly. You might try this, as it will serve you well in many ways: Background It is a best practice not to be adding computers ‘willy nilly’ to the Computers container, since it is unmanaged. You’ll probably want to be adding computers to an actual OU, to which you’ve linked appropriate GPOs. It is also a best practice to create the computer account in advance of joining the computer to the domain; or to use NETDOM or WMI to join computers to the domain, so that one way or another they end up in the correct (end state) OU, rather than in a generic container. If you have W2K3 domain functaional level, you can also redirect the ‘default’ computers container into a custom OU. See http://support.microsoft.com/default.aspx?scid=kb;en-us;324949 . Suggestion Start over with your task, since you’ve tried everything and have done things well. Start with a “fresh” OU, delegate your techs group the CC (Create Child) and GA (Full Control) of computer objects in the OU. Test by logging on as a tech and using ADUC to create a computer object; then join a workstation (same name) to the domain. See what breaks, if anything. If anything breaks, create a NEW tech user account, put it in the same group that has been delegated permissions, and try again. If the new tech can add computers (using ADUC) to the new OU and join computers to the new accounts, try one last ‘round’ of the new tech doing the same thing back in your old container. NEXT STEPS I’d be happy *try* to help you directly if you’d like. LMK where exactly things are breaking. I’d just need to look at the ACL on the Computers container and your “new” OU and an RSoP of a Technician 1) Use the following command to dump the permissions on the container: dsacls "CN=Computers,DC=windomain,DC=local" >desktop\dsaclsdump.txt Replacing the domain name and/or Container/OU as appropriate 2) Please run two RSoP reports using the Group Policy Management Console a. A Technician on a technician’s computer b. A Technician on a domain controller Save the reports (they come out as HTML) Send me the three files (I probably don’t need all three, but they’ll be helpful). I don’t have *tons* of time today, but I’ll be happy to take a quick look. My email is dan-dot-holme-at-intelliem-dot-com. Dan Holme From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Wednesday, May 18, 2005 6:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Rick , Thanks for the answer, I double checked and I already have the “technicians” full control on computer objects set on the Computers container. Any other Ideas? De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan Envoyé : Tuesday, May 17, 2005 6:09 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] delegation not working on Win2k AD I agree with many of the other posts here – a domain level is likely the correct area to do this, simply because the usual location for a joined computer is the Computers Container – not an OU. If they don’t have access to the container, then they aren’t going to be able to join them. What is the scope of the delegated permissions? Is it ‘This object and all child objects’? Also, I think that I’d create a new delegation in the Advanced properties of the AD Securities tab (it might exist – if you aren’t used to using the Advanced view of Security in AD, you won’t see it) for the techs. This time, however – you are going to want to select Computer Objects from the dropdown, then select ‘Full Control’ for the techs. Save this. If you don’t have a clear idea on how to proceed, reply back. I’ll send or post detailed instructions with pictures, if necessary, on how to do exactly what you want. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, May 17, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi, Thanks for the hint, but I did it too… Here are the settings I have. In the user rights the group technicians is allowed to add computers to the domain. I also have the following perms on the “Computers” OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the domain, not on the OU. Is there anything else I’m missing? Thanks De : TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIRO
RE: [ActiveDir] delegation not working on Win2k AD
Title: Re: [ActiveDir] delegation not working on Win2k AD Hi Rick , Thanks for the answer, I double checked and I already have the “technicians” full control on computer objects set on the Computers container. Any other Ideas? De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan Envoyé : Tuesday, May 17, 2005 6:09 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] delegation not working on Win2k AD I agree with many of the other posts here – a domain level is likely the correct area to do this, simply because the usual location for a joined computer is the Computers Container – not an OU. If they don’t have access to the container, then they aren’t going to be able to join them. What is the scope of the delegated permissions? Is it ‘This object and all child objects’? Also, I think that I’d create a new delegation in the Advanced properties of the AD Securities tab (it might exist – if you aren’t used to using the Advanced view of Security in AD, you won’t see it) for the techs. This time, however – you are going to want to select Computer Objects from the dropdown, then select ‘Full Control’ for the techs. Save this. If you don’t have a clear idea on how to proceed, reply back. I’ll send or post detailed instructions with pictures, if necessary, on how to do exactly what you want. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, May 17, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi, Thanks for the hint, but I did it too… Here are the settings I have. In the user rights the group technicians is allowed to add computers to the domain. I also have the following perms on the “Computers” OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the domain, not on the OU. Is there anything else I’m missing? Thanks De : TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Envoyé : Tuesday, May 17, 2005 2:23 PM À : ActiveDir@mail.activedir.org; Bruyere, Michel Objet : RE : [ActiveDir] delegation not working on Win2k AD Hello ;-) If You want to delegate creation of computers for a subset of users, you may have to create a security groups (ie:technicians group), then go to the "Default domain controller policy" on "Domain Controllers" OU, and not on the "Default Domain Policy" of your Domain root. Add your group to "Join computer to the domain". Notice that you have already security objects such as authenticated users: remove this group if necessary. Then your users will have the rights to join computers to domain: those will appear by default in "Computers" container. Cheers, Yann TIROA I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 "Mark Parris" <[EMAIL PROTECTED] it.co.uk> To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO " add w
RE: [ActiveDir] delegation not working on Win2k AD
Title: Re: [ActiveDir] delegation not working on Win2k AD I agree with many of the other posts here – a domain level is likely the correct area to do this, simply because the usual location for a joined computer is the Computers Container – not an OU. If they don’t have access to the container, then they aren’t going to be able to join them. What is the scope of the delegated permissions? Is it ‘This object and all child objects’? Also, I think that I’d create a new delegation in the Advanced properties of the AD Securities tab (it might exist – if you aren’t used to using the Advanced view of Security in AD, you won’t see it) for the techs. This time, however – you are going to want to select Computer Objects from the dropdown, then select ‘Full Control’ for the techs. Save this. If you don’t have a clear idea on how to proceed, reply back. I’ll send or post detailed instructions with pictures, if necessary, on how to do exactly what you want. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, May 17, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi, Thanks for the hint, but I did it too… Here are the settings I have. In the user rights the group technicians is allowed to add computers to the domain. I also have the following perms on the “Computers” OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the domain, not on the OU. Is there anything else I’m missing? Thanks De : TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Envoyé : Tuesday, May 17, 2005 2:23 PM À : ActiveDir@mail.activedir.org; Bruyere, Michel Objet : RE : [ActiveDir] delegation not working on Win2k AD Hello ;-) If You want to delegate creation of computers for a subset of users, you may have to create a security groups (ie:technicians group), then go to the "Default domain controller policy" on "Domain Controllers" OU, and not on the "Default Domain Policy" of your Domain root. Add your group to "Join computer to the domain". Notice that you have already security objects such as authenticated users: remove this group if necessary. Then your users will have the rights to join computers to domain: those will appear by default in "Computers" container. Cheers, Yann TIROA I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 "Mark Parris" <[EMAIL PROTECTED] it.co.uk> To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO " add workstations to a domain" was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: "Medeiros, Jose" <[EMAIL PROTECTED]> Date: Mon, 16 May 2005 13:44:26 To:<ActiveDir@mail.activedir.org> Subj
RE: [ActiveDir] delegation not working on Win2k AD
Title: Re: [ActiveDir] delegation not working on Win2k AD Hi, Thanks for the hint, but I did it too… Here are the settings I have. In the user rights the group technicians is allowed to add computers to the domain. I also have the following perms on the “Computers” OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the domain, not on the OU. Is there anything else I’m missing? Thanks De : TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Envoyé : Tuesday, May 17, 2005 2:23 PM À : ActiveDir@mail.activedir.org; Bruyere, Michel Objet : RE : [ActiveDir] delegation not working on Win2k AD Hello ;-) If You want to delegate creation of computers for a subset of users, you may have to create a security groups (ie:technicians group), then go to the "Default domain controller policy" on "Domain Controllers" OU, and not on the "Default Domain Policy" of your Domain root. Add your group to "Join computer to the domain". Notice that you have already security objects such as authenticated users: remove this group if necessary. Then your users will have the rights to join computers to domain: those will appear by default in "Computers" container. Cheers, Yann TIROA I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 "Mark Parris" <[EMAIL PROTECTED] it.co.uk> To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO " add workstations to a domain" was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: "Medeiros, Jose" <[EMAIL PROTECTED]> Date: Mon, 16 May 2005 13:44:26 To:<ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is " add workstations to a domain ". Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the "join computer to the domain" task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go
RE : [ActiveDir] delegation not working on Win2k AD
Hello ;-) If You want to delegate creation of computers for a subset of users, you may have to create a security groups (ie:technicians group), then go to the "Default domain controller policy" on "Domain Controllers" OU, and not on the "Default Domain Policy" of your Domain root. Add your group to "Join computer to the domain". Notice that you have already security objects such as authenticated users: remove this group if necessary. Then your users will have the rights to join computers to domain: those will appear by default in "Computers" container. Cheers, Yann TIROA I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 "Mark Parris" <[EMAIL PROTECTED] it.co.uk> To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO " add workstations to a domain" was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: "Medeiros, Jose" <[EMAIL PROTECTED]> Date: Mon, 16 May 2005 13:44:26 To: Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is " add workstations to a domain ". Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the "join computer to the domain" task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
Re: [ActiveDir] delegation not working on Win2k AD
I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 "Mark Parris" <[EMAIL PROTECTED] it.co.uk> To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO " add workstations to a domain" was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: "Medeiros, Jose" <[EMAIL PROTECTED]> Date: Mon, 16 May 2005 13:44:26 To: Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is " add workstations to a domain ". Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the "join computer to the domain" task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] delegation not working on Win2k AD
I was under the impression that the setting in the GPO " add workstations to a domain" was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: "Medeiros, Jose" <[EMAIL PROTECTED]> Date: Mon, 16 May 2005 13:44:26 To: Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is " add workstations to a domain ". Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the "join computer to the domain" task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] delegation not working on Win2k AD
Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is " add workstations to a domain ". Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the "join computer to the domain" task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
