D
Darren Toews
Hi all,
Have a problem that I wonder if you can help me with. We have a Windows
2000/2003 domain. The domain controllers are 2000 and the member servers
are a mixture of 2000 and 2003.
I have created various OU admin groups for our different department and made
the user objects for those users members of those groups. Now I have tried
adding all the OU admin group objects to a domain local group to which I'd
like to delegate the ability to add workstations to the domain. I have
tried doing this 3 different ways. 1) Using the delegation wizard, 2) Via
Group Policy at the domain level (added the Add Workstation group to the
list of users able to add workstations to the domain in the Computer Section
of the GPO under User Account Rights) and 3) editing the Domain security
properties and manually adding the group in giving them read, read all
properties and Create Computer Objects and Delete Computer Objects.
None of these methods seems to work. I can add a workstation with the
domain admin account and with an account that is a member of the domain
admins group so it does not seem to be communications related, but any
account in the add workstations group generates an "Access Denied" error. I
have also tried creating a test account not in the above group and using
each of the 3 methods to delegate rights directly to that account with no
luck either. Only the Domain Admins can add a workstation.
When I manually go into the security settings for any of the domains, I can
see that the rights have properly inheirited down the tree using the
Effective Permissions tab, so the users should have the appropriate rights
to accomplish this task, yet for some reason they are not able to do it.
Searching Google I came across an article detailing that in some cases a bad
sysprep image can cause this and that a solution is to apply the Setup
Secuirty Local Security Policy Template on the workstation. I have tried
this as well, and it worked a couple of times, but no longer seems to do the
trick.
I've tried search Microsoft's support site and was unable to find anything
helpful.
If anyone has any suggestions for me, I'd greatly appreciate them!
Thanks in advance,
Darren Toews
Have a problem that I wonder if you can help me with. We have a Windows
2000/2003 domain. The domain controllers are 2000 and the member servers
are a mixture of 2000 and 2003.
I have created various OU admin groups for our different department and made
the user objects for those users members of those groups. Now I have tried
adding all the OU admin group objects to a domain local group to which I'd
like to delegate the ability to add workstations to the domain. I have
tried doing this 3 different ways. 1) Using the delegation wizard, 2) Via
Group Policy at the domain level (added the Add Workstation group to the
list of users able to add workstations to the domain in the Computer Section
of the GPO under User Account Rights) and 3) editing the Domain security
properties and manually adding the group in giving them read, read all
properties and Create Computer Objects and Delete Computer Objects.
None of these methods seems to work. I can add a workstation with the
domain admin account and with an account that is a member of the domain
admins group so it does not seem to be communications related, but any
account in the add workstations group generates an "Access Denied" error. I
have also tried creating a test account not in the above group and using
each of the 3 methods to delegate rights directly to that account with no
luck either. Only the Domain Admins can add a workstation.
When I manually go into the security settings for any of the domains, I can
see that the rights have properly inheirited down the tree using the
Effective Permissions tab, so the users should have the appropriate rights
to accomplish this task, yet for some reason they are not able to do it.
Searching Google I came across an article detailing that in some cases a bad
sysprep image can cause this and that a solution is to apply the Setup
Secuirty Local Security Policy Template on the workstation. I have tried
this as well, and it worked a couple of times, but no longer seems to do the
trick.
I've tried search Microsoft's support site and was unable to find anything
helpful.
If anyone has any suggestions for me, I'd greatly appreciate them!
Thanks in advance,
Darren Toews