|
I wonder if something is just
‘broken’ (and missed) as you’ve been making changes. It
sounds like everything is in place correctly. You might try this, as it will serve you
well in many ways: Background It is a best practice not to be adding computers ‘willy
nilly’ to the Computers container, since it is unmanaged.
You’ll probably want to be adding computers to an actual OU, to which
you’ve linked appropriate GPOs. It is also a best practice to
create the computer account in advance
of joining the computer to the domain; or to use NETDOM or WMI to join
computers to the domain, so that one way or another they end up in the correct
(end state) OU, rather than in a generic container. If you have W2K3
domain functaional level, you can also redirect the ‘default’
computers container into a custom OU. See http://support.microsoft.com/default.aspx?scid=kb;en-us;324949
. Suggestion Start over with your task, since
you’ve tried everything and have done things well. Start with a
“fresh” OU, delegate your techs group the CC (Create Child) and GA
(Full Control) of computer objects in the OU. Test by logging on as a
tech and using ADUC to create a computer object; then join a workstation (same
name) to the domain. See what breaks, if anything. If anything
breaks, create a NEW tech user account, put it in the same group that has been
delegated permissions, and try again. If the new tech can add computers
(using ADUC) to the new OU and join computers to the new accounts, try one last
‘round’ of the new tech doing the same thing back in your old
container. NEXT STEPS I’d be happy *try* to help you directly if you’d
like. LMK where exactly things are breaking. I’d just need to
look at the ACL on the Computers container and your “new” OU and an
RSoP of a Technician 1) Use the following command to dump the permissions on the container: dsacls
"CN=Computers,DC=windomain,DC=local" >desktop\dsaclsdump.txt Replacing
the domain name and/or Container/OU as appropriate 2) Please run two RSoP reports using the Group Policy Management
Console a. A Technician on a technician’s computer b. A Technician on a domain controller Save the
reports (they come out as HTML) Send me the three files (I probably
don’t need all three, but they’ll be helpful). I
don’t have *tons* of time
today, but I’ll be happy to take a quick look. My email is
dan-dot-holme-at-intelliem-dot-com. Dan Holme From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Hi Rick ,
Thanks for the answer, I double checked and I already have the
“technicians” full control on computer objects set on the Computers
container. Any other Ideas? De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De
la part de Rick Kingslan I agree with many of the other posts here
– a domain level is likely the correct area to do this, simply because
the usual location for a joined computer is the Computers Container – not
an OU. If they don’t have access to the container, then they
aren’t going to be able to join them. What is the scope of the delegated
permissions? Is it ‘This object and all child objects’?
Also, I think that I’d create a new delegation in the Advanced properties
of the AD Securities tab (it might exist – if you aren’t used to
using the Advanced view of Security in AD, you won’t see it) for the
techs. This time, however – you are going to want to select
Computer Objects from the dropdown, then select ‘Full Control’ for
the techs. Save this. If you don’t have a clear idea on
how to proceed, reply back. I’ll send or post detailed instructions
with pictures, if necessary, on how to do exactly what you want. -rtk From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hi,
Thanks for the hint, but I did it too… Here are the settings I have. In the user rights
the group technicians is allowed to add computers to the domain. I also have the following perms on the
“Computers” OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the
domain, not on the OU. Is there anything else I’m missing? Thanks
De :
TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Hello ;-) If You want
to delegate creation of computers for a subset of users, you may have to create
a security groups (ie:technicians group), then go to the "Default domain
controller policy" on "Domain Controllers" OU, and not on the
"Default Domain Policy" of your Domain root. Add your
group to "Join computer to the domain". Notice that you have already
security objects such as authenticated users: remove this group if necessary. Then
your users will have the rights to join computers to domain: those will
appear by default in "Computers" container. Cheers, Yann TIROA I would
run the delegation wizard at the Domain.com level and delegate the |
Title: Re: [ActiveDir] delegation not working on Win2k AD
