RE: [ActiveDir] Netdom to Join

[freddy_hartono]

Noah,   When you create a computer under aduc, there’s a field “The following user or group can join this computer to a domain” Make sure you assign that permission correctly or in my env, setting it to domain users would be just fine.   From David’s explaination below, try getting a value by checking if the computer object exist – if so do a reset for computer account password (try dsquery and dsmod –reset if found)   Thank you and have a splendid day!   Kind Regards,   Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED]   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Aragon Sent: Saturday, April 09, 2005 11:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join   Noah,   Freddy is correct, you mentioned the computer objects were pre-created, check the permissions on the object and OU to ensure a-domainuser has an appropriate level of authority.    Also, when a computer object is created is is not attached to anything (a blank slate as it were), when a machine joins it looks to see if there is a free object with its name on it and attaches itself to that object, imprinting its specific information (e.g. guid) on that object.  Trying to join another computer with the same name will fail (different guid's).  Without more information what it looks like is you've joined a different computer to the object once before, then tried to join this computer to the same object.  If this is the case, try resetting the computer object before you join a computer to it.  (SEE: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbi_add_qqne.asp).   David Aragon   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, April 08, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join Thanks for the responses. I spoke too soon. Here is what I want to do: script a means for a generic domain user (created only for this purpose) to join workgroup machines to a domain when logged onto those machines as a local non-admin user.   Here's what I have done: - created a user called "a-domainjoiner". Put this in the User and DomainJoiners groups. - Created a test computer account in OU=test,DC=domain,DC=com - As per David's suggestion, allowed DomainJoiners in the "Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to Domain" - ran the following netdom batch from the workstation: net use \\server1\public password /USER:domain\a-domainjoiner netdom \\server1\public\netdom join /d:domain.com %computername% /OU:OU=test,DC=domain,DC=com /ud:domain\domainjoiner /pd:password /reboot /Verbose   When I run this as a workstation User, I get the error: "The computer account rename failed with error 5" “The account already exists”   When I run it as a workstation admin, I get the same thing but "error 2224".   What am I missing here?   TIA   P.S. what do you mean, Freddy?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join   Also check out computer account permissions when you create them.   Thank you and have a splendid day!   Kind Regards,   Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED]   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Saturday, April 09, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join   Thanks David. That’s what I was looking for.   From: David Aragon [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join   Noah,   That depends on what you have "Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to Domain" set to allow.    We are a medium sized University and have authorized a group, comprised of specified users from each of the 13 colleges and major divisions on our campus, to do this.  They do not have Administrative authority except within their own OU, and even that is limited to adding computers and creating/editing GPO's within that OU.  Several units Ghost their machines and use Netdom without issue to join them to the Domain.   David Aragon     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, April 08, 2005 2:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Netdom to Join Hi –   What are the minimum credentials that a user needs to join a computer to the domain when the computer account is already created? I am trying to script netdom to do this and getting denied if the user has less than administrative access.   Thanks.   -- nme