Account operators cannot always join the domain
Hi all, we've been having sporadic problems with computers unable to join to the domain using account operator authentication. I am a domain admin and will oftentimes (well 5% of the time) have to join pcs to the domain for the other technicians. I originally suspected that a gpo on a bad ghost disc was causing the issue. I'd take a clean group policy folder from another computer, overwrite the sys32 folder with it and it would work for 50% of those machines. Unfortunately we have thousands and thousands of machines here and it would simply be impossible to reghost them all, so I've been trying to track down a more specific cause, but have been unsuccessful. We had a case where 16 identical computers were made using the same ghost. Approximately 5 of these were able to join the domain using account operator logins. After applying the new group policy folder another 5 of these were able to join the domain. The remaining six were unable to join without using my login/pass. We used the same network cable for all of these machines. What policies might be restricting this? Any other ideas for other possible causes?
March 19th, 2008 1:45am
Fixed. Apparently the Account Operator group does not grant Read permissions on the built-in OU. Delegated control and created a custom task for our main computer OU groups.Added Object Type control for computer objects + create/delete objects in this folder. Under permissions set Read/write account restrictions, reset password, validated write to DNS host name, and validated wrote to service principal name.
Works like a charm now.
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2008 9:02pm