User suddenly can no longer 'join workstation to the domain' denied

Hi,

We have a 2003SP2/2008R2 environment. We have a specific account we use in
a script to automatically join the workstation to the domain.

The account has rights via a group...the group is listed in the domain
policy to "allow join workstations to the domain." Any other account in that
group works fine when joining PCs to the domain.

The account in the script receives the "access denied" pop-up when joining
to a domain.

Anyone ever seen and resolve a similar issue?

Thank you,
Mr Troy

Hello Mr Troy,

See if one of these applies:
http://support.microsoft.com/kb/243327/en-us

http://support.microsoft.com/kb/932455

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> We have a 2003SP2/2008R2 environment. We have a specific account we
> use in a script to automatically join the workstation to the domain.
>
> The account has rights via a group...the group is listed in the domain
> policy to "allow join workstations to the domain." Any other account
> in that group works fine when joining PCs to the domain.
>
> The account in the script receives the "access denied" pop-up when
> joining to a domain.
>
> Anyone ever seen and resolve a similar issue?
>
> Thank you,
> Mr Troy

Has the password expired?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Mr Troy" <MrTroy@discussions.microsoft.com> wrote in message
news:CCEEAF94-75DF-4A9C-BCB9-555BDF7FAEC5@microsoft.com...
> Hi,
>
> We have a 2003SP2/2008R2 environment. We have a specific account we use
> in
> a script to automatically join the workstation to the domain.
>
> The account has rights via a group...the group is listed in the domain
> policy to "allow join workstations to the domain." Any other account in
> that
> group works fine when joining PCs to the domain.
>
> The account in the script receives the "access denied" pop-up when joining
> to a domain.
>
> Anyone ever seen and resolve a similar issue?
>
> Thank you,
> Mr Troy

Hi Paul,

Password is set to never expire and I can login to the domain with that
account.


Hi Meinolf,

I'll give the Delegation Wizard a shot-thank you.

Thing is, I don't understand why the account stopped working. Yes, there's
a 10 max computer accounts per user, but with the user account in a group
that is listed in the Domain Controller Policy to allow "add workstation to
the domain," I thought that should circumvent the limit of 10. It had been
working for at least 4 years and then "POOF" it stopped working with no rhyme
or reason.

Very strange,
Mr Troy

Mr Troy wrote:
> Hi Paul,
>
> Password is set to never expire and I can login to the domain with
> that account.

I'd rather delegate the right to the OU.

http://technet.microsoft.com/en-us/l...64(WS.10).aspx

The Add Workstation to Domain user right is supported for applications that
use earlier SAM (Security Accounts Manager) NET APIs to create computer
accounts. Users that have this right are allowed to create 10 computer
accounts in the Active Directory Computers container using these earlier
APIs. When a user creates a computer account using this user right, the
Domain Admins group becomes the owner of the computer object. Note that this
right is not recognized when LDAP is used to create computer accounts.

In Windows 2000 and later, the recommended way to allow a user or group to
create computer accounts is by granting that user or group the permission to
Create Computer Objects on the desired container. This can be accomplished
in GPMC. When a computer account is created using access control
permissions, the actual creator of the object becomes the owner of that
object.
>
>
> Hi Meinolf,
>
> I'll give the Delegation Wizard a shot-thank you.
>
> Thing is, I don't understand why the account stopped working. Yes,
> there's a 10 max computer accounts per user, but with the user
> account in a group that is listed in the Domain Controller Policy to
> allow "add workstation to the domain," I thought that should
> circumvent the limit of 10. It had been working for at least 4 years
> and then "POOF" it stopped working with no rhyme or reason.
>
> Very strange,
> Mr Troy

--
/kj

I haven't yet tested the Delegation piece. Will do that shortly.

In the meantime, I was able to get the user account to work once again-IF
it's both in the group and added as a user to the GPO "add workstation to the
domain."

Could've sworn I tried that yesterday, but I must have removed the account
from the group and added it separately.

Thank you everyone for your input...it is very helpful!

Mr. Troy