Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » User suddenly can no longer 'join workstation to the domain' denie
User suddenly can no longer 'join workstation to the domain' denie [message #368344] Thu, 14 January 2010 13:30 Go to next message
Mr Troy  is currently offline Mr Troy
Messages: 9
Registered: September 2009
Junior Member
Hi,

We have a 2003SP2/2008R2 environment. We have a specific account we use in
a script to automatically join the workstation to the domain.

The account has rights via a group...the group is listed in the domain
policy to "allow join workstations to the domain." Any other account in that
group works fine when joining PCs to the domain.

The account in the script receives the "access denied" pop-up when joining
to a domain.

Anyone ever seen and resolve a similar issue?

Thank you,
Mr Troy
Re: User suddenly can no longer 'join workstation to the domain' denie [message #368374 is a reply to message #368344] Thu, 14 January 2010 14:05 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Mr Troy,

See if one of these applies:
http://support.microsoft.com/kb/243327/en-us

http://support.microsoft.com/kb/932455

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> We have a 2003SP2/2008R2 environment. We have a specific account we
> use in a script to automatically join the workstation to the domain.
>
> The account has rights via a group...the group is listed in the domain
> policy to "allow join workstations to the domain." Any other account
> in that group works fine when joining PCs to the domain.
>
> The account in the script receives the "access denied" pop-up when
> joining to a domain.
>
> Anyone ever seen and resolve a similar issue?
>
> Thank you,
> Mr Troy
Re: User suddenly can no longer 'join workstation to the domain' denie [message #368882 is a reply to message #368344] Fri, 15 January 2010 06:41 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Has the password expired?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Mr Troy" <MrTroy@discussions.microsoft.com> wrote in message
news:CCEEAF94-75DF-4A9C-BCB9-555BDF7FAEC5@microsoft.com...
> Hi,
>
> We have a 2003SP2/2008R2 environment. We have a specific account we use
> in
> a script to automatically join the workstation to the domain.
>
> The account has rights via a group...the group is listed in the domain
> policy to "allow join workstations to the domain." Any other account in
> that
> group works fine when joining PCs to the domain.
>
> The account in the script receives the "access denied" pop-up when joining
> to a domain.
>
> Anyone ever seen and resolve a similar issue?
>
> Thank you,
> Mr Troy
RE: User suddenly can no longer 'join workstation to the domain' denie [message #369006 is a reply to message #368344] Fri, 15 January 2010 09:15 Go to previous messageGo to next message
Mr Troy  is currently offline Mr Troy
Messages: 9
Registered: September 2009
Junior Member
Hi Paul,

Password is set to never expire and I can login to the domain with that
account.


Hi Meinolf,

I'll give the Delegation Wizard a shot-thank you.

Thing is, I don't understand why the account stopped working. Yes, there's
a 10 max computer accounts per user, but with the user account in a group
that is listed in the Domain Controller Policy to allow "add workstation to
the domain," I thought that should circumvent the limit of 10. It had been
working for at least 4 years and then "POOF" it stopped working with no rhyme
or reason.

Very strange,
Mr Troy
Re: User suddenly can no longer 'join workstation to the domain' denie [message #369086 is a reply to message #369006] Fri, 15 January 2010 10:30 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Mr Troy wrote:
> Hi Paul,
>
> Password is set to never expire and I can login to the domain with
> that account.

I'd rather delegate the right to the OU.

http://technet.microsoft.com/en-us/library/cc756064(WS.10).aspx

The Add Workstation to Domain user right is supported for applications that
use earlier SAM (Security Accounts Manager) NET APIs to create computer
accounts. Users that have this right are allowed to create 10 computer
accounts in the Active Directory Computers container using these earlier
APIs. When a user creates a computer account using this user right, the
Domain Admins group becomes the owner of the computer object. Note that this
right is not recognized when LDAP is used to create computer accounts.

In Windows 2000 and later, the recommended way to allow a user or group to
create computer accounts is by granting that user or group the permission to
Create Computer Objects on the desired container. This can be accomplished
in GPMC. When a computer account is created using access control
permissions, the actual creator of the object becomes the owner of that
object.
>
>
> Hi Meinolf,
>
> I'll give the Delegation Wizard a shot-thank you.
>
> Thing is, I don't understand why the account stopped working. Yes,
> there's a 10 max computer accounts per user, but with the user
> account in a group that is listed in the Domain Controller Policy to
> allow "add workstation to the domain," I thought that should
> circumvent the limit of 10. It had been working for at least 4 years
> and then "POOF" it stopped working with no rhyme or reason.
>
> Very strange,
> Mr Troy

--
/kj
RE: User suddenly can no longer 'join workstation to the domain' denie [message #369154 is a reply to message #368344] Fri, 15 January 2010 11:30 Go to previous message
Mr Troy  is currently offline Mr Troy
Messages: 9
Registered: September 2009
Junior Member
I haven't yet tested the Delegation piece. Will do that shortly.

In the meantime, I was able to get the user account to work once again-IF
it's both in the group and added as a user to the GPO "add workstation to the
domain."

Could've sworn I tried that yesterday, but I must have removed the account
from the group and added it separately.

Thank you everyone for your input...it is very helpful!

Mr. Troy
Previous Topic:Ignoring group policy when logging onto certain servers
Next Topic:Replication Errors
Goto Forum:
  


Current Time: Wed Jan 17 05:31:02 MST 2018

Total time taken to generate the page: 0.05150 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software