Error: The user you have specified is not permitted to join the machine to the domain RRS feed

  • Question

  • Inherited a domain with a lot of machines that have already been added in different OUs. A lot of these machines now need to be re-installed.

    I have a syspreped Windows XP imagex capture for them.

    I have also delegated permissions for an account to add these machines to the domain; however, some of the machine accounts already exist in the domain.

    In the [Identification] section of sysprep.inf, when the delegated account is used, it will only add machines that don't exist in the domain. If the account already exists, it gives the "The user you have specified is not permitted to join the machine to the domain.." error. If a domain admin account is used in its place, the machine add to domain goes just fine.

    So the summary:

    Delegated account CAN add machines to any OU if the machine account doesn't exist in the domain.

    Delegated account CANNOT add any machine that has a pre-existing account if done in sysprep.inf

    Delegated account CAN add any machine that has a pre-existing account if done manually.

    Domain Admin account CAN add any machine in any of the above scenarios.

    Is there a way to do this without using a Domain Admin account? These wim images go on USB sticks and I'd very much like to not have every tech in the office have access to a domain admin account.

    I had initially posted this in the Windows XP Forums, but the moderator there instructed me to post it here.

    Thanks in advance.

    Tuesday, October 26, 2010 1:21 PM

All replies

  • I have exactly the same problem.

    Anybody have the solution about that ?



    Friday, July 22, 2011 7:21 AM
  • Hi,

    SP1 introduced additonal RPC and SAMR security and during the upgrade SP1
    adds new entries to NULL Session Pipes. However if you set the " Network
    access: Named Pipes that can be accessed anonymously" Group policy then the
    updates that SP1 will be over written and thus the workstation will not have
    the ability to access SAMR in order to confirm a workstation account exists
    in AD.

    To fix this problem, set the following registry key
    "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\lan manserver\parameters\NullSessionPipes" and or Group Policy should include the following entries.


    CREDIT: Tim


    If that does not work, can you post the winnt.sif file as per http://support.microsoft.com/kb/216586

    Kind Regards,



    If you find my information useful, please rate it. :-)
    Sunday, July 24, 2011 11:07 AM