Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Permissions to Delegate User For Netdom
Permissions to Delegate User For Netdom [message #156930] Fri, 26 June 2009 10:09 Go to next message
Charles  is currently offline Charles
Messages: 71
Registered: July 2009
Member
Hi All:

I need to know what permission to delegate so a user so this user will be
able to add/join computer accounts back into the domain that already exist.
Netdom works fine with the computer does not exist when this user runs it.
If running using the admin account it runs fine when the computer account
already exists.

I have delegated the following perms to the OU for the user:
create/delete computer accounts
list all
read/write computer properties
Reset password


Thanks in advance!
06/25 16:06:01
------------------------------------------------------------ -----
06/25 16:06:01 NetpDoDomainJoin
06/25 16:06:01 NetpMachineValidToJoin: 'NewComputer'
06/25 16:06:01 NetpGetLsaPrimaryDomain: status: 0x0
06/25 16:06:01 NetpMachineValidToJoin: status: 0x0
06/25 16:06:01 NetpJoinDomain
06/25 16:06:01 Machine: NewComputer
06/25 16:06:01 Domain: bikes
06/25 16:06:01 MachineAccountOU: OU=New SARP,OU=Station
Workstations,OU=Revenue,DC=bikes,DC=ad,DC=internal
06/25 16:06:01 Account: bikes\SARPINST
06/25 16:06:01 Options: 0x3
06/25 16:06:01 OS Version: 5.1
06/25 16:06:01 Build number: 2600
06/25 16:06:01 ServicePack: Service Pack 3
06/25 16:06:01 NetpValidateName: checking to see if 'bikes' is valid as type
3 name
06/25 16:06:01 NetpCheckDomainNameIsValid [ Exists ] for 'bikes' returned 0x0
06/25 16:06:01 NetpValidateName: name 'bikes' is valid for type 3
06/25 16:06:01 NetpDsGetDcName: trying to find DC in domain 'bikes', flags:
0x1020
06/25 16:06:01 NetpDsGetDcName: found DC '\\bikedc01' in the specified domain
06/25 16:06:01 NetpJoinDomain: status of connecting to dc '\\bikedc01': 0x0
06/25 16:06:01 NetpGetLsaPrimaryDomain: status: 0x0
06/25 16:06:01 NetpGetDnsHostName: Read NV Hostname: NewComputer
06/25 16:06:01 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain
name: bikes.ad.internal
06/25 16:06:01 NetpLsaOpenSecret: status: 0xc0000034
06/25 16:06:01 NetpGetComputerObjectDn: Cracking account name
bikes\NewComputer$ on \\bikedc01
06/25 16:06:01 NetpGetComputerObjectDn: Crack results: (Account already
exists) DN = CN=NewComputer,OU=New SARP,OU=Station
Workstations,OU=Revenue,DC=bikes,DC=ad,DC=internal
06/25 16:06:01 NetpModifyComputerObjectInDs: Initial attribute values:
06/25 16:06:01 objectClass = Computer
06/25 16:06:01 SamAccountName = NewComputer$
06/25 16:06:01 userAccountControl = 4096
06/25 16:06:01 DnsHostName = NewComputer.bikes.ad.internal
06/25 16:06:01 ServicePrincipalName = HOST/NewComputer.bikes.ad.internal
HOST/NewComputer
06/25 16:06:01 NetpModifyComputerObjectInDs: Computer Object already exists
in OU:
06/25 16:06:01 objectClass = top person organizationalPerson user
computer
06/25 16:06:01 SamAccountName = NewComputer$
06/25 16:06:01 userAccountControl = 4096
06/25 16:06:01 DnsHostName = NewComputer.bikes.ad.internal
06/25 16:06:01 ServicePrincipalName = HOST/NewComputer
HOST/NewComputer.bikes.ad.internal
06/25 16:06:01 NetpModifyComputerObjectInDs: There are _NO_ modifications to
do
06/25 16:06:01 NetpCreateComputerObjectInDs: NetUserSetInfo failed on
'\\bikedc01' for 'NewComputer$': 0x5. Deleting the account.
06/25 16:06:01 ldap_unbind status: 0x0
06/25 16:06:01 NetpJoinDomain: status of creating account in OU: 0x5
06/25 16:06:01 NetpJoinDomain: initiaing a rollback due to earlier errors
06/25 16:06:01 NetpLsaOpenSecret: status: 0x0
06/25 16:06:01 NetpJoinDomain: rollback: status of deleting secret: 0x0
06/25 16:06:01 NetpJoinDomain: status of disconnecting from '\\bikedc01': 0x0
06/25 16:06:01 NetpDoDomainJoin: status: 0x5
Re: Permissions to Delegate User For Netdom [message #156932 is a reply to message #156930] Fri, 26 June 2009 10:49 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Jorge Pinto has covered this in details on his blog at
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369. aspx

hth
Marcin

"Charles" <Charles@discussions.microsoft.com> wrote in message
news:8DE06733-ADC6-4F94-9521-17F4D03283C4@microsoft.com...
> Hi All:
>
> I need to know what permission to delegate so a user so this user will be
> able to add/join computer accounts back into the domain that already
> exist.
> Netdom works fine with the computer does not exist when this user runs it.
> If running using the admin account it runs fine when the computer account
> already exists.
>
> I have delegated the following perms to the OU for the user:
> create/delete computer accounts
> list all
> read/write computer properties
> Reset password
>
>
> Thanks in advance!
> 06/25 16:06:01
> ------------------------------------------------------------ -----
> 06/25 16:06:01 NetpDoDomainJoin
> 06/25 16:06:01 NetpMachineValidToJoin: 'NewComputer'
> 06/25 16:06:01 NetpGetLsaPrimaryDomain: status: 0x0
> 06/25 16:06:01 NetpMachineValidToJoin: status: 0x0
> 06/25 16:06:01 NetpJoinDomain
> 06/25 16:06:01 Machine: NewComputer
> 06/25 16:06:01 Domain: bikes
> 06/25 16:06:01 MachineAccountOU: OU=New SARP,OU=Station
> Workstations,OU=Revenue,DC=bikes,DC=ad,DC=internal
> 06/25 16:06:01 Account: bikes\SARPINST
> 06/25 16:06:01 Options: 0x3
> 06/25 16:06:01 OS Version: 5.1
> 06/25 16:06:01 Build number: 2600
> 06/25 16:06:01 ServicePack: Service Pack 3
> 06/25 16:06:01 NetpValidateName: checking to see if 'bikes' is valid as
> type
> 3 name
> 06/25 16:06:01 NetpCheckDomainNameIsValid [ Exists ] for 'bikes' returned
> 0x0
> 06/25 16:06:01 NetpValidateName: name 'bikes' is valid for type 3
> 06/25 16:06:01 NetpDsGetDcName: trying to find DC in domain 'bikes',
> flags:
> 0x1020
> 06/25 16:06:01 NetpDsGetDcName: found DC '\\bikedc01' in the specified
> domain
> 06/25 16:06:01 NetpJoinDomain: status of connecting to dc '\\bikedc01':
> 0x0
> 06/25 16:06:01 NetpGetLsaPrimaryDomain: status: 0x0
> 06/25 16:06:01 NetpGetDnsHostName: Read NV Hostname: NewComputer
> 06/25 16:06:01 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS
> domain
> name: bikes.ad.internal
> 06/25 16:06:01 NetpLsaOpenSecret: status: 0xc0000034
> 06/25 16:06:01 NetpGetComputerObjectDn: Cracking account name
> bikes\NewComputer$ on \\bikedc01
> 06/25 16:06:01 NetpGetComputerObjectDn: Crack results: (Account already
> exists) DN = CN=NewComputer,OU=New SARP,OU=Station
> Workstations,OU=Revenue,DC=bikes,DC=ad,DC=internal
> 06/25 16:06:01 NetpModifyComputerObjectInDs: Initial attribute values:
> 06/25 16:06:01 objectClass = Computer
> 06/25 16:06:01 SamAccountName = NewComputer$
> 06/25 16:06:01 userAccountControl = 4096
> 06/25 16:06:01 DnsHostName = NewComputer.bikes.ad.internal
> 06/25 16:06:01 ServicePrincipalName =
> HOST/NewComputer.bikes.ad.internal
> HOST/NewComputer
> 06/25 16:06:01 NetpModifyComputerObjectInDs: Computer Object already
> exists
> in OU:
> 06/25 16:06:01 objectClass = top person organizationalPerson user
> computer
> 06/25 16:06:01 SamAccountName = NewComputer$
> 06/25 16:06:01 userAccountControl = 4096
> 06/25 16:06:01 DnsHostName = NewComputer.bikes.ad.internal
> 06/25 16:06:01 ServicePrincipalName = HOST/NewComputer
> HOST/NewComputer.bikes.ad.internal
> 06/25 16:06:01 NetpModifyComputerObjectInDs: There are _NO_ modifications
> to
> do
> 06/25 16:06:01 NetpCreateComputerObjectInDs: NetUserSetInfo failed on
> '\\bikedc01' for 'NewComputer$': 0x5. Deleting the account.
> 06/25 16:06:01 ldap_unbind status: 0x0
> 06/25 16:06:01 NetpJoinDomain: status of creating account in OU: 0x5
> 06/25 16:06:01 NetpJoinDomain: initiaing a rollback due to earlier errors
> 06/25 16:06:01 NetpLsaOpenSecret: status: 0x0
> 06/25 16:06:01 NetpJoinDomain: rollback: status of deleting secret: 0x0
> 06/25 16:06:01 NetpJoinDomain: status of disconnecting from '\\bikedc01':
> 0x0
> 06/25 16:06:01 NetpDoDomainJoin: status: 0x5
Re: Permissions to Delegate User For Netdom [message #156937 is a reply to message #156932] Fri, 26 June 2009 12:28 Go to previous messageGo to next message
Charles  is currently offline Charles
Messages: 71
Registered: July 2009
Member
Thanks a million Marcin for the help. Excellent blog info!

"Marcin" wrote:

> Jorge Pinto has covered this in details on his blog at
> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369. aspx
>
> hth
> Marcin
>
> "Charles" <Charles@discussions.microsoft.com> wrote in message
> news:8DE06733-ADC6-4F94-9521-17F4D03283C4@microsoft.com...
> > Hi All:
> >
> > I need to know what permission to delegate so a user so this user will be
> > able to add/join computer accounts back into the domain that already
> > exist.
> > Netdom works fine with the computer does not exist when this user runs it.
> > If running using the admin account it runs fine when the computer account
> > already exists.
> >
> > I have delegated the following perms to the OU for the user:
> > create/delete computer accounts
> > list all
> > read/write computer properties
> > Reset password
> >
> >
> > Thanks in advance!
> > 06/25 16:06:01
> > ------------------------------------------------------------ -----
> > 06/25 16:06:01 NetpDoDomainJoin
> > 06/25 16:06:01 NetpMachineValidToJoin: 'NewComputer'
> > 06/25 16:06:01 NetpGetLsaPrimaryDomain: status: 0x0
> > 06/25 16:06:01 NetpMachineValidToJoin: status: 0x0
> > 06/25 16:06:01 NetpJoinDomain
> > 06/25 16:06:01 Machine: NewComputer
> > 06/25 16:06:01 Domain: bikes
> > 06/25 16:06:01 MachineAccountOU: OU=New SARP,OU=Station
> > Workstations,OU=Revenue,DC=bikes,DC=ad,DC=internal
> > 06/25 16:06:01 Account: bikes\SARPINST
> > 06/25 16:06:01 Options: 0x3
> > 06/25 16:06:01 OS Version: 5.1
> > 06/25 16:06:01 Build number: 2600
> > 06/25 16:06:01 ServicePack: Service Pack 3
> > 06/25 16:06:01 NetpValidateName: checking to see if 'bikes' is valid as
> > type
> > 3 name
> > 06/25 16:06:01 NetpCheckDomainNameIsValid [ Exists ] for 'bikes' returned
> > 0x0
> > 06/25 16:06:01 NetpValidateName: name 'bikes' is valid for type 3
> > 06/25 16:06:01 NetpDsGetDcName: trying to find DC in domain 'bikes',
> > flags:
> > 0x1020
> > 06/25 16:06:01 NetpDsGetDcName: found DC '\\bikedc01' in the specified
> > domain
> > 06/25 16:06:01 NetpJoinDomain: status of connecting to dc '\\bikedc01':
> > 0x0
> > 06/25 16:06:01 NetpGetLsaPrimaryDomain: status: 0x0
> > 06/25 16:06:01 NetpGetDnsHostName: Read NV Hostname: NewComputer
> > 06/25 16:06:01 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS
> > domain
> > name: bikes.ad.internal
> > 06/25 16:06:01 NetpLsaOpenSecret: status: 0xc0000034
> > 06/25 16:06:01 NetpGetComputerObjectDn: Cracking account name
> > bikes\NewComputer$ on \\bikedc01
> > 06/25 16:06:01 NetpGetComputerObjectDn: Crack results: (Account already
> > exists) DN = CN=NewComputer,OU=New SARP,OU=Station
> > Workstations,OU=Revenue,DC=bikes,DC=ad,DC=internal
> > 06/25 16:06:01 NetpModifyComputerObjectInDs: Initial attribute values:
> > 06/25 16:06:01 objectClass = Computer
> > 06/25 16:06:01 SamAccountName = NewComputer$
> > 06/25 16:06:01 userAccountControl = 4096
> > 06/25 16:06:01 DnsHostName = NewComputer.bikes.ad.internal
> > 06/25 16:06:01 ServicePrincipalName =
> > HOST/NewComputer.bikes.ad.internal
> > HOST/NewComputer
> > 06/25 16:06:01 NetpModifyComputerObjectInDs: Computer Object already
> > exists
> > in OU:
> > 06/25 16:06:01 objectClass = top person organizationalPerson user
> > computer
> > 06/25 16:06:01 SamAccountName = NewComputer$
> > 06/25 16:06:01 userAccountControl = 4096
> > 06/25 16:06:01 DnsHostName = NewComputer.bikes.ad.internal
> > 06/25 16:06:01 ServicePrincipalName = HOST/NewComputer
> > HOST/NewComputer.bikes.ad.internal
> > 06/25 16:06:01 NetpModifyComputerObjectInDs: There are _NO_ modifications
> > to
> > do
> > 06/25 16:06:01 NetpCreateComputerObjectInDs: NetUserSetInfo failed on
> > '\\bikedc01' for 'NewComputer$': 0x5. Deleting the account.
> > 06/25 16:06:01 ldap_unbind status: 0x0
> > 06/25 16:06:01 NetpJoinDomain: status of creating account in OU: 0x5
> > 06/25 16:06:01 NetpJoinDomain: initiaing a rollback due to earlier errors
> > 06/25 16:06:01 NetpLsaOpenSecret: status: 0x0
> > 06/25 16:06:01 NetpJoinDomain: rollback: status of deleting secret: 0x0
> > 06/25 16:06:01 NetpJoinDomain: status of disconnecting from '\\bikedc01':
> > 0x0
> > 06/25 16:06:01 NetpDoDomainJoin: status: 0x5
>
>
>
Re: Permissions to Delegate User For Netdom [message #156966 is a reply to message #156930] Sun, 28 June 2009 06:11 Go to previous message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Charles,

See this article about the needed permissions to add a computer to the domain,
if the account alreadu exists.
http://support.microsoft.com/kb/932455

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi All:
>
> I need to know what permission to delegate so a user so this user will
> be able to add/join computer accounts back into the domain that
> already exist. Netdom works fine with the computer does not exist
> when this user runs it. If running using the admin account it runs
> fine when the computer account already exists.
>
> I have delegated the following perms to the OU for the user:
> create/delete computer accounts
> list all
> read/write computer properties
> Reset password
> Thanks in advance!
> 06/25 16:06:01
> ------------------------------------------------------------ -----
> 06/25 16:06:01 NetpDoDomainJoin
> 06/25 16:06:01 NetpMachineValidToJoin: 'NewComputer'
> 06/25 16:06:01 NetpGetLsaPrimaryDomain: status: 0x0
> 06/25 16:06:01 NetpMachineValidToJoin: status: 0x0
> 06/25 16:06:01 NetpJoinDomain
> 06/25 16:06:01 Machine: NewComputer
> 06/25 16:06:01 Domain: bikes
> 06/25 16:06:01 MachineAccountOU: OU=New SARP,OU=Station
> Workstations,OU=Revenue,DC=bikes,DC=ad,DC=internal
> 06/25 16:06:01 Account: bikes\SARPINST
> 06/25 16:06:01 Options: 0x3
> 06/25 16:06:01 OS Version: 5.1
> 06/25 16:06:01 Build number: 2600
> 06/25 16:06:01 ServicePack: Service Pack 3
> 06/25 16:06:01 NetpValidateName: checking to see if 'bikes' is valid
> as type
> 3 name
> 06/25 16:06:01 NetpCheckDomainNameIsValid [ Exists ] for 'bikes'
> returned 0x0
> 06/25 16:06:01 NetpValidateName: name 'bikes' is valid for type 3
> 06/25 16:06:01 NetpDsGetDcName: trying to find DC in domain 'bikes',
> flags:
> 0x1020
> 06/25 16:06:01 NetpDsGetDcName: found DC '\\bikedc01' in the specified
> domain
> 06/25 16:06:01 NetpJoinDomain: status of connecting to dc
> '\\bikedc01': 0x0
> 06/25 16:06:01 NetpGetLsaPrimaryDomain: status: 0x0
> 06/25 16:06:01 NetpGetDnsHostName: Read NV Hostname: NewComputer
> 06/25 16:06:01 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS
> domain
> name: bikes.ad.internal
> 06/25 16:06:01 NetpLsaOpenSecret: status: 0xc0000034
> 06/25 16:06:01 NetpGetComputerObjectDn: Cracking account name
> bikes\NewComputer$ on \\bikedc01
> 06/25 16:06:01 NetpGetComputerObjectDn: Crack results: (Account
> already
> exists) DN = CN=NewComputer,OU=New SARP,OU=Station
> Workstations,OU=Revenue,DC=bikes,DC=ad,DC=internal
> 06/25 16:06:01 NetpModifyComputerObjectInDs: Initial attribute values:
> 06/25 16:06:01 objectClass = Computer
> 06/25 16:06:01 SamAccountName = NewComputer$
> 06/25 16:06:01 userAccountControl = 4096
> 06/25 16:06:01 DnsHostName = NewComputer.bikes.ad.internal
> 06/25 16:06:01 ServicePrincipalName =
> HOST/NewComputer.bikes.ad.internal
> HOST/NewComputer
> 06/25 16:06:01 NetpModifyComputerObjectInDs: Computer Object already
> exists
> in OU:
> 06/25 16:06:01 objectClass = top person organizationalPerson
> user
> computer
> 06/25 16:06:01 SamAccountName = NewComputer$
> 06/25 16:06:01 userAccountControl = 4096
> 06/25 16:06:01 DnsHostName = NewComputer.bikes.ad.internal
> 06/25 16:06:01 ServicePrincipalName = HOST/NewComputer
> HOST/NewComputer.bikes.ad.internal
> 06/25 16:06:01 NetpModifyComputerObjectInDs: There are _NO_
> modifications to
> do
> 06/25 16:06:01 NetpCreateComputerObjectInDs: NetUserSetInfo failed on
> '\\bikedc01' for 'NewComputer$': 0x5. Deleting the account.
> 06/25 16:06:01 ldap_unbind status: 0x0
> 06/25 16:06:01 NetpJoinDomain: status of creating account in OU: 0x5
> 06/25 16:06:01 NetpJoinDomain: initiaing a rollback due to earlier
> errors
> 06/25 16:06:01 NetpLsaOpenSecret: status: 0x0
> 06/25 16:06:01 NetpJoinDomain: rollback: status of deleting secret:
> 0x0
> 06/25 16:06:01 NetpJoinDomain: status of disconnecting from
> '\\bikedc01': 0x0
> 06/25 16:06:01 NetpDoDomainJoin: status: 0x5
Previous Topic:any effect on this change?
Next Topic:Relative Distinguished Name maximum length?
Goto Forum:
  


Current Time: Sat Oct 21 18:59:55 EDT 2017

Total time taken to generate the page: 0.03212 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software