none
WDS 2012 R2, Console running on RDS for remote admin, Access Denied when approving RRS feed

  • Question

  • Hey team,

    If i've put this in the wrong forum, please direct me.

    I have WDS working on a server. Clients boot and install. I can approve them from this server's WDS console. WDS server is a domain member. Configured to require approval, but put computers "Same domain as the Windows Deployment Services server".

    The problem occurs when i'm using the WDS console (to approve pending computers) from my RDS server with WDS console. I can seem to do everything else, except approving pending. Gives me Access Denied.

    The account I'm using is the same between both. Domain Admin.

    I've read articles about managing permission / delegation on the AD OU. I believe i've done this. Seen some mixed advice. I currently have a Global Security Group with both the WDS and the RDS servers as members, and this group has permissions at the root level in AD for "Create Computer objects" and also some others "List contents","Read all properties","Write all properties","Read permissions".

    Thoughts?

    Thursday, April 5, 2018 3:46 AM

All replies

  • Hi,

    Just confirm with you about below configuration:
    1. Open Active Directory Users and Computers.
    2. Right click Computers OU or the OU that the computer account is being created in.
    3. Click delegate control.
    4. Click add and enter computer name of the WDS server.
    5. Select Create a custom task to delegate.
    6. Choose "this folder, existing objects in this folder, and creation of new objects in this folder".
    7. Chose general and full control.

    Save the change and check the result.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by javedkhan1984 Tuesday, April 10, 2018 4:52 AM
    Friday, April 6, 2018 7:42 AM
    Moderator
  • Thanks. I did what you asked. I can approve from the RDS server now. I also changed it to grant my group, which worked also.

    Should I look next at granting only the permissions required?

    Tuesday, April 10, 2018 3:55 AM
  • Hi,

    >Should I look next at granting only the permissions required?
    Please provide more information. 

    Besides, please click “Mark as answer” if above reply is helpful. It would make this reply to the top and easier to be found for other people who has the similar problem.

    Thank you for your cooperation.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 11, 2018 9:23 AM
    Moderator
  • Sure.

    In your advice above, you have asked me to grant 'Full Control' to the computer accounts.

    Would this not grant additional permissions over the selected OU than required? Is there a security risk with this?

    Thursday, April 12, 2018 12:12 AM
  • Just to ensure you understand. I am responsible for both functionality AND security. As a business i'm not interested in implementing insecure practice, let alone recommend it to others.

    Maybe if I rephrase the question. Do you have the required permissions set for WDS Approval? And hopefully including approval from remote admin servers.

    Then maybe I can work backwards, from FULL CONTROL, to REQUIRED CONTROL.

    Tuesday, April 24, 2018 3:53 AM