Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Microsoft Networking Services > GPO
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

Local Admin on all machines and add comp to domain

Local Admin on all machines and add comp to domain

this thread has 11 replies and has been viewed 3809 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #11  
Old 17th May 2008, 03:59
f21 f21 is offline
Casual
Casual
 
 Join Date: Mar 2008
  6 month star 12 month star
 Posts: 51
 Reputation: f21 is on a distinguished road (11)
Default Re: Local Admin on all machines and add comp to domain

Sounds like you delegated account operator control to this team? The Account Operator group does not grant Read permissions on the built-in OU, so you need to fix your permissions.

Use the delegation control wizard again and create a custom task for the OU. Add Object Type control for computer objects + create/delete objects in this folder. Under permissions set Read/write account restrictions, reset password, validate write to DNS host name, and validate write to service principal name.

Should fix your access denied issue.
  #12  
Old 19th May 2008, 02:47
guyt's Avatar
guyt guyt is offline
[MSFT]
Guru
 
 Join Date: Nov 2003
  6 month star 12 month star
 Location: Israel
 Posts: 1,766
  Send a message via MSN to guyt
 Reputation: guyt is a name known to allguyt is a name known to allguyt is a name known to allguyt is a name known to allguyt is a name known to allguyt is a name known to all (592)
Default Re: Local Admin on all machines and add comp to domain

Quote:
Originally Posted by f21 View Post
Sounds like you delegated account operator control to this team? The Account Operator group does not grant Read permissions on the built-in OU, so you need to fix your permissions.
Any authenticated user has read access to almost all of the objects in domain partition (including the built-in Computers and Users containers)
__________________
Guy Teverovsky
http://blogs.technet.com/b/isrpfeplat/
"Smith & Wesson - the original point and click interface"
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
change admin password for local comp using batch hshaik General Scripting 3 9th April 2007 23:52
Add Domain user/group as winXP local Administrator ebe75 GPO 13 25th March 2007 01:04
Win2003 Domain Controller lost Local Admin & Domain Admin pwds OdinTrisk Forgot Administrator Password 2 7th January 2007 22:44
New Domain, Need All users to have Local Admin spepi GPO 6 27th December 2006 17:15
add comp and user account for a new comp by a script avivh General Scripting 1 25th December 2004 22:33


All times are GMT +3. The time now is 02:00.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri