none
i want to delegate IT managers in another site to Approve pending request in WDS ,

    Question

  • As Sysadmins i want to delegate IT managers in another site to Approve pending request in WDS  ,i won't add him in administrator ,i did only add him in Remote desktop user Group.

    And after Research i do those Steps but still he has same error "access denied

    Read and write permissions for the folder that contains the database file Binlsvcdb.mdb in the RemoteInstall share (for example, C:RemoteInstall\MGMT). The actual account of an approved pending computer is created by using the server’s authentication token, not the token of the administrator who is performing the approval. Therefore, in AD DS, you must grant rights to the Windows Deployment Services server’s account (WDSSERVER$) to create computer account objects for the containers and OUs where the approved pending computers will be created.

    To grant permissions to approve a pending computer

    1. Open Active Directory Users and Computers.
    2. Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control.
    3. On the first screen of the wizard, click Next.
    4. Change the object type to include computers.
    5. Add the computer object of the Windows Deployment Services server, and then click Next.
    6. Select Create a Custom task to delegate.
    7. Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next.
    8. In the Permissions box, select the Write all Properties check box, and click Finish.
    Tuesday, February 28, 2017 9:45 AM

All replies

  • Hi,

    Have you selected the “create selected objects in this folder” option as below?

    Please have a try to select the following option in the Permissions box and see if it helps:

    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 1, 2017 7:36 AM
    Moderator
  • Dear Wendy,

       still he got access denied

    Thursday, March 2, 2017 6:26 AM
  • Hi,

    Instead of delegating permission for the service account, please have a try to delegate right for a standard user or Remote desktop user Group which you configured.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 6, 2017 2:04 AM
    Moderator
  • Dear Wendy , 
       Yes i'm Trying to Delegate Right for  "IT Manager" in another site and he already in Remote Group and also i add Remote Group in delegation but the same issue happen (access denied), sorry for 
    bothering you
    :) <o:p></o:p>


    Monday, March 6, 2017 9:55 AM
  • Hi,

    It seems that the correct action is taken to delegate permission for groups, so the problem seems that you have incorrect group to be delegated permission.

    Based on research on the similar problem, we need to grant permissions in the Active Directory OU to the WDS server computer account to allow it to modify and create computer accounts in the domain. So please also have a try to delegate the permission for WDS server computer account and see if it helps.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 9, 2017 1:40 AM
    Moderator
  • Dear Wendy ,

                The scenario is when I put “IT manager” in  Local administrator Group he can approve normally .

    I think the issue not related to delegation in AD and also I give him full Control to “C:RemoteInstall” folder but still he has “Access Denied”

    Thursday, March 9, 2017 8:01 AM
  • Hi,
    I agree with you that it seems not to be related to permission in the AD, maybe, extra permission is needed, such as local admin permission which is working for you, as the scenario is related to “across site”.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 13, 2017 1:55 AM
    Moderator
  • dear Wendy , 

    So,Kindly advice !

    Monday, March 13, 2017 2:50 PM
  • Hi,

    I am not sure what permissions are necessary to approve pending request in WDS cross sites, it is not the scope of directory service, for me, I would delegate this user admin permissions to do that.

    If you don’t want to make this user be admin, you could open up a case with Microsoft Technical Support to see if they could find out what specific permission are still needed: https://support.microsoft.com/en-us/contactus/?ws=support

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 16, 2017 1:39 AM
    Moderator