I would run the delegation wizard at the Domain.com level and delegate the
Join a computer to the domain permission instead of creating a GPO. By
using the wizard it grants the Create Computer Objects permission on This
object and all child objects.
Setting this permission at the OU level will allow the user to move
computer objects between OU's but not join computers to the domain.
Chris Ryan
The Kroger Company
[EMAIL PROTECTED]
Office (513) 698-1935
Cell (513) 623-5362
"Mark Parris"
<[EMAIL PROTECTED]
it.co.uk> To
Sent by: [email protected]
[EMAIL PROTECTED] cc
ail.activedir.org
Subject
Re: [ActiveDir] delegation not
05/17/2005 12:25 working on Win2k AD
PM
Please respond to
[EMAIL PROTECTED]
tivedir.org
I was under the impression that the setting in the GPO " add workstations
to a domain" was the legacy way of granting such permissions and the
correct way was on an OU where the accounts would live would be to grant
create and delete computer objects and then grant full control to those
objects.
Regards
Mark
-----Original Message-----
From: "Medeiros, Jose" <[EMAIL PROTECTED]>
Date: Mon, 16 May 2005 13:44:26
To:<[email protected]>
Subject: RE: [ActiveDir] delegation not working on Win2k AD
Hi Michael,
By default everyone in the domain can join up to 10 computers. My only
thought is that you may have inadvertnly configured the wrong setting and
after they added the 10 machines they are now be denied the right to do so.
The corerect seeting is " add workstations to a domain ".
Sincerely,
Jose Medeiros
Former Vice President and Postmaster NTEA
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org
------------------------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bruyere, Michel
Sent: Monday, May 16, 2005 11:46 AM
To: [email protected]
Subject: [ActiveDir] delegation not working on Win2k AD
Hi,
I used the delegation wizard to delegate the "join computer to
the domain" task to the technicians group. Everything worked fine until
today. For no apparent reasons, it gives an access denied to the
technicians group members when they try to join a computer to the
domain. Nothing has changed on the system, I mean manually.
When I go into the security tab, I can see that they have the right to
create computer objects.
I tried to use the delegation wizard again, but still no go.
Ideas anyone?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
