Hi,
due corporate policy, most of our support staff should not have write access to Active Directory. They can use AD Manager Plus to create computer accounts, and then they should be able to join these.
This fails in most cases with "Access Denied", and I was unable to figure out the reason. According to various sources, to be able to join computers, users must have these permissions on computer objects:
- Reset Password
- Read and write Account Restrictions
- Validated write to DNS host name
- Validated write to service principal name
Some articles also mention these additional permissions:
- Read account restrictions
- Write account restrictions
We granted all of these (on domain level applied to "Descendant Computer objects"); I verified that the users in question have these permissions on the computer objects in question. Still, domain join fails with "Access Denied".
This is the relevant part of netsetup.log:
NetpGetComputerObjectDn: Cracking DNS domain name uponor.local/ into Netbios on \\DCNAME.domainname.dns NetpGetComputerObjectDn: Crack results: name = DOMAINNAME\ NetpGetComputerObjectDn: Cracking account name DOMAINNAME\COMPUTERNAME$ on \\DCNAME.domainname.dns NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=COMPUTERNAME,OU=Desktops... NetpModifyComputerObjectInDs: Initial attribute values: objectClass = Computer SamAccountName = COMPUTERNAME$ userAccountControl = 0x1000 DnsHostName = COMPUTERNAME.domainname.dns ServicePrincipalName = HOST/COMPUTERNAME.domainname.dns RestrictedKrbHost/COMPUTERNAME.domainname.dns HOST/COMPUTERNAME RestrictedKrbHost/COMPUTERNAME unicodePwd = <SomePassword> NetpModifyComputerObjectInDs: Computer Object already exists in OU: objectClass = top person organizationalPerson user computer SamAccountName = COMPUTERNAME$ userAccountControl = 0x1020 DnsHostName = ServicePrincipalName = unicodePwd = Account exists, resetting password: <SomePassword> NetpModifyComputerObjectInDs: Attribute values to set: DnsHostName = COMPUTERNAME.domainname.dns ServicePrincipalName = HOST/COMPUTERNAME.domainname.dns RestrictedKrbHost/COMPUTERNAME.domainname.dns HOST/COMPUTERNAME RestrictedKrbHost/COMPUTERNAME unicodePwd = <SomePassword> NetpMapGetLdapExtendedError: Parsed [0x2098] from server extended error string: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 NetpModifyComputerObjectInDs: ldap_modify_s failed: 0x32 0x5 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5 NetpProvisionComputerAccount: LDAP creation failed: 0x5
I also traced LDAP queries on the domain controller, and the last entry (that seems to be the failing one) is this:
DsDBIndexChosen, Info, 0, 4, 0, 0, 0, 0, 0x0000000000000000, 0x00000230, 0x00001238, 3, , , {00000000-0000-0000-0000-000000000000}, , 130770995131083286, 89250, 1161105, "DS", 4, 2, 2399404096, 41986816, "idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;", "NTDS", 0x1A000000
DsDirSearch, End, 0, 4, 0, 0, 2, 0, 0x0000000000000000, 0x00000230, 0x00001238, 3, , , {00000000-0000-0000-0000-000000000000}, , 130770995131083607, 89250, 1161105, "DS", 4, 6, 1157955648, 41986816, "0", " ( | (servicePrincipalName=RestrictedKrbHost/COMPUTERNAME) (servicePrincipalName=HOST/COMPUTERNAME) (servicePrincipalName=RestrictedKrbHost/COMPUTERNAME.
.local) (servicePrincipalName=HOST/COMPUTERNAME.domain.dns) ) ", "idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;", "0", "0", "NTDS", "", "", 0xD8C07BBFFB7F0000
DsDirMod, Start, 0, 4, 0, 0, 1, 0, 0x0000000000000000, 0x00000230, 0x00001238, 3, , , {00000000-0000-0000-0000-000000000000}, , 130770995131083775, 89250, 1161105, "DS", 4, 2, 1241841728, 41986816, "10.208.5.203:60584", "CN=COMPUTERNAME,OU=Desktops...", "", 0x0300
DsDirMod, Start, 0, 4, 0, 0, 1, 0, 0x0000000000000000, 0x00000230, 0x00001238, 3, , , {00000000-0000-0000-0000-000000000000}, , 130770995131083793, 89250, 1161105, "DS", 4, 2, 1241841728, 41986816, "10.208.5.203:60584", "CN=COMPUTERNAME,OU=Desktops...", "", 0x2011
DsDirMod, End, 0, 4, 0, 0, 2, 0, 0x0000000000000000, 0x00000230, 0x00001238, 3, , , {00000000-0000-0000-0000-000000000000}, , 130770995131083812, 89250, 1161105, "DS", 4, 2, 1258618944, 41986816, "0", "NTDS", 0x7CD07800
LdapRequest, End, 0, 4, 0, 0, 2, 0, 0x0000000000000000, 0x00000230, 0x00001238, 3, , , {00000000-0000-0000-0000-000000000000}, , 130770995131085222, 89250, 1161105, "DS", 4, 6, 4110745664, 41986816, "3", "50", "NonDSE", "Insufficient Rights", "8", "NTDS", 0xF2F27800000064EBF2F27800
LdapRequest, Start, 0, 4, 0, 0, 1, 0, 0x0000000000000000, 0x00000230, 0x00001238, 3, , , {00000000-0000-0000-0000-000000000000}, , 130770995131089523, 89250, 1161105, "DS", 4, 3, 4093968448, 0, "10.208.5.203:60584", "Sign/Seal", "TCP", "", 0x64EBF2F2
LdapRequest, End, 0, 4, 0, 0, 2, 0, 0x0000000000000000, 0x00000230, 0x00001238, 3, , , {00000000-0000-0000-0000-000000000000}, , 130770995131089714, 89250, 1161105, "DS", 4, 6, 4110745664, 41986816, "4", "0", "NonDSE", "Success", "3", "NTDS", 0x90A14FC0FB7F0000E0EBF2F2It seems like an issue with the servicePrincipalName to me, but I'm running out of ideas what to check.
I also added permissions "Create computer objects" and "Delete computer objects" for the OU where the computer objects resides, but that also did not help.
The users in question do NOT have the user right "Add computers to the domain" in AD. Should they? (From what I read, it should work without if object permissions are correct ...)
Does anyone have an idea what could be the issue?