Still having permission problems

[peter.marshall]

I was the poster of "Add PC to domain Problem". I am still stuck on
this ... sort of.

I made a group called "technical support". I put two users in there.
Both were regular users with no special privledges. One user could add
pc's to the domain, the other could not. I made a new user, added them
to the group. They could not add pc's either.

So now I am really confused. I have two users that should be able to
add pc's, and one user who can, but I have no idea why.

Does anyone have any idea how to troubleshoot this, or fix it ?

The current configuration is that I added the group to the "add pc's to
the domain" option under "Default Domain Controller Policy". I have
also tried to do this under "Default domain policy" (although I do not
know the difference between the two), as well as giving the user the
appropriate permissions to the "Computers OU" in Active Directory.

Thank you for any help that you can give.

Peter

 

[Steven L Umbach]

The only place that add workstations to the domain user right works is in
Domain Controller Security Policy where you should configure any user right
for the domain controllers. It is also possible that changes that you made
to Domain Controller Security Policy have not propagated yet or the user
that you are trying has not had his user security token refreshed to show
that user right. You can use the support tool command whoami /priv to show
the user rights in a security token. Note however that for regular users
this user right allows them to add only ten workstations to the domain
though that can be changed per info in the KB article below or give that
group create computer objects permission to the computer container in AD. I
would also recommend that you run the support tools netdiag, dcdiag, and
gpotool on your domain controllers to make sure that your domain is running
well and AD is replicating like it should. --- Steve

http://support.microsoft.com/?kbid=251335

 

[Roger Abell [MVP]]

The only place that add workstations to the domain user right works is in
Domain Controller Security Policy where you should configure any user
right

slight adjustment if I might suggest Steve . . .

if set in domain linked GPO and not overwritten by a DC OU linked GPO
then the policy setting for the user right is in fact effective

 

[Roger Abell [MVP]]

I have just reviews post of the other thread.
Between those and your new post what is not clear to me
is just what you have been doing when you say you have
adjusted the permissions on the Computers container.
Have you been using the delegation wizard ? or trying to
manually adjust the grants ?

 

[Steven L Umbach]

True and thanks for pointing that out. I should have qualified that
statement with "by default" since that user right is already defined in a
default installation of an AD domain for Domain Controller Security policy
which would of course make configuring that setting in Domain Security
Policy irrelevant assuming no override is not enabled and it could actually
be defined in any Group Policy linked to the domain controller container
where it could possibly prevail depending on it's status in the list. ---
Steve

 

[peter.marshall]

I have been manually adjusting the grants.

 

[peter.marshall]

I have no idea what you are talking about.

 

[Roger Abell [MVP]]

Would you try this?
Define a new custom group, such as DelegateJoinComp, and
then right click on the container in AD Users and Computers
and select to use the delegation wizard and delegate adding
computer objects to this new custom group?
Then, add some account to the custom group.
While granting addition of computers is relatively straight-forward
compared to other delegations, this will let you see what is needed
(what is given to the custom group) and also see whether an account
that is having problems still has problems after added to the group
(and re-logging-in) - meaning that there is some config for the account
preventing correct delegation from being effective.

 

[Roger Abell [MVP]]

I have no idea what you are talking about.

it was purely semantic

 

[peter.marshall]

Hi.

Thanks for the idea. I just tried it, but no cigar.

Got any other ideas ?

Peter

 

[peter.marshall]

Just had a strange occurance .... It seems I only have the problem with
"new" machines. As in, the user can add a pc that was previously a
part of the domain, however a machine that was never a part of the
domain, does not get added.

Peter

 

[Roger Abell [MVP]]

This will take some head work (scratching).

The machines that can be (re)joined, for those their
old computer object had been deleted, right? so that
their successful join did require creating an new comp
obj in AD ??

When you test the ability of the user accounts to add
machines to the domain are you meaning
a) use AD Users and Computers to define comp obj
b) use System properties of client machine to "join a domain"
c) both have been tried and fail
In other words, if they cannot do this remotely (join the client)
can the use AD tools to define the computer object ?

 

[peter.marshall]

This user does not have direct access to AD through users and
computers. They are simply trying to add pc's to the domain through
the My Computer icon.

I got it backwards ... He can only add "New" machines. Ones that have
never been added to the domain before. If I add a machine, and then
remove it, he can not re-add it.

I am very sorry for the confusion.

Peter

 

[Paul Adare]

the microsoft.public.win2000.security news group,

I got it backwards ... He can only add "New" machines. Ones that have
never been added to the domain before. If I add a machine, and then
remove it, he can not re-add it.

That's because removing a machine from the domain (through System
Properties on the machine in question) does not delete the computer's
account in Active Directory, it simply disables it. Since you added the
computer in the first place, you own the computer's account and only you
have the necessary permissions on the account object to reactivate it.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

 

[peter.marshall]

Cool.

Ok. So that got me a bit further. I did a few more tests. I noticed
in AD when I remove a computer (I am a domain Admin) that it disables
the account like you said. I then removed the disabled computer
account, and tried a test user account that I created and placed in the
group that I game permissions to add pc's to the domain too. That user
could then add the PC. Then I got the user that I wanted to be able to
add pc's to the domain to try removing the computer and then re-adding
it. He was able to remove it, but was unable to re-add it. I checked
in AD and althought the compuer was removed, it still showed up in AD
as being there, and it was still enabled. Do you have any ideas as to
why this might happen ?

Thank you very very much for your help.

Peter

 

[Paul Adare]

the microsoft.public.win2000.security news group,

I checked
in AD and althought the compuer was removed, it still showed up in AD
as being there, and it was still enabled. Do you have any ideas as to
why this might happen ?

If you've got more than one domain controller this is likely due to
replication latency.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

 

[Roger Abell [MVP]]

And, if not due to latency then
1. if the user logged in as an admin of the machine being removed,
other than as their domain account enabled for computer objects,
then they may not have entered their credentials when prompted
during the disjoint action
2. their account might be granted add but not delete of computer
objects in AD