none
Delegation issue

    Question

  • Hi, recently we have created additional domain controller in different location and did the delegation to allow joining to domain for particular OU. But it is not working it gives some error. Please help asap.

    • Edited by NNMRAO Saturday, February 4, 2017 7:11 AM image upload pending
    Saturday, February 4, 2017 6:54 AM

Answers

  • Hi, Thanks for the reply. Shall i create new policy instead of editing default domain controller policy. Please also guide whether to keep authenticated users or the users who are going to add computer into the domain.
    It all depends on your organization policy. I did not like anyone to join PC's to domain, so I restricted it to just Help Desk Admins. You do not need a separate GPO. you should do it on Default Domain Controller Policy AFAIK.

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Wednesday, February 8, 2017 7:30 AM
    Moderator

All replies

  • ّFirstly the error inicates there is an existing computer account in domain. So search the whole domain and delete the identical name and then try to join.

    Secondly, no need to delegation  for this. You can edit the policy here:


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Saturday, February 4, 2017 8:01 AM
    Moderator
  • Hi, i have checked under the active directory, there is no computer account with same name. Also if i put domain administrator credential instead of delegated user then it allows me to add the computer into the domain.
    Saturday, February 4, 2017 8:04 AM
  • Hi, i have checked under the active directory, there is no computer account with same name >>> Also check from dns,maybe there is a related record..

    For delegate permission,check this steps;

    - Start the Delegate Control wizard on the OU/CN you want to modify.
    - Select the group/user. Choose "Create a custom task to delegate".
    - Select "Only the following objects in the folder".
    - Tick: "Computer objects" and "Create selected objects in this folder".
    - On the next page, tick "Create all child objects".


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Saturday, February 4, 2017 11:55 AM
  • Hi, i have checked under the active directory, there is no computer account with same name >>> Also check from dns,maybe there is a related record..

    For delegate permission,check this steps;

    - Start the Delegate Control wizard on the OU/CN you want to modify.
    - Select the group/user. Choose "Create a custom task to delegate".
    - Select "Only the following objects in the folder".
    - Tick: "Computer objects" and "Create selected objects in this folder".
    - On the next page, tick "Create all child objects".


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Not sure if that is gonna work. Because AFAIK this delegation will allow them to create computer objects rather than joining. Also if there should be a delegation, it should be on 'Computers' container (not sure even if you can delegate there) because this is the default container for newly joined PC's. 

    So I think modifying 'Default Domain Controller Policy' at Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Add workstations to Domain should do the trick.

    Correct me if I am missing something Burak. :)


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Sunday, February 5, 2017 4:06 AM
    Moderator
  • Hi, Thanks for the reply. We already tried above steps, but not work.
    Tuesday, February 7, 2017 7:27 AM
  • Hi, Thanks for the reply. Shall i create new policy instead of editing default domain controller policy. Please also guide whether to keep authenticated users or the users who are going to add computer into the domain.
    Tuesday, February 7, 2017 7:30 AM
  • Hi, Thanks for the reply. Shall i create new policy instead of editing default domain controller policy. Please also guide whether to keep authenticated users or the users who are going to add computer into the domain.
    It all depends on your organization policy. I did not like anyone to join PC's to domain, so I restricted it to just Help Desk Admins. You do not need a separate GPO. you should do it on Default Domain Controller Policy AFAIK.

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Wednesday, February 8, 2017 7:30 AM
    Moderator
  • Hi, i am also going to allow only to Help Desk Admins only. Thanks..
    Wednesday, February 8, 2017 7:48 AM
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 10, 2017 8:24 AM
    Moderator
  • Hi, We have already marked as answer for the respective answers.

    Friday, February 10, 2017 8:54 AM
  • Hi,
    Sorry for that we have no seen the marked answers in this thread, could you please click the “Mark as answer” option under the helpful replies again?

    Thank you for the cooperation.
    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 13, 2017 2:36 AM
    Moderator