Share via

Active Directory Computer joining

Anonymous
Sep 30, 2024, 1:57 PM

Hello, I have a question about joining computer objects in AD. The following procedure: I create an object and then a colleague should join the system. This hasn't worked for some time now. The person who creates the system can only join the system. Permissions are available for the ad, the computer and for joining. could it be due to a kb article? Unfortunately I couldn't find anything about it so far. thanks for the feedback.

Windows Server Identity and access Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    Sep 30, 2024, 3:15 PM

    Hello rob_uc,

    Thank you for posting in Microsoft Community forum.

     It sounds like you're experiencing an issue where only the individual who creates a computer object in Active Directory (AD) is able to join the system, even though permissions are correctly assigned. This could sometimes be due to specific security or permission settings, or updates that might have changed expected behavior.

    Here are a few things you might want to check:

    1.Delegated Permissions: Verify that appropriate permissions have been delegated correctly in AD. The user who is attempting to join the computer to the domain needs "Create Computer Objects" and "Delete Computer Objects" permissions in the respective organizational unit (OU).

    2.Group Policy: Ensure that there are no group policies applied that might be restricting users from joining computers to the domain. Particularly, check the policy "Add workstations to domain," which should include the users or groups that need to join computers to AD.

    3.Pre-created Computer Accounts: Ensure that the pre-created computer accounts are in the correct OU and that the person trying to join the computer has the required permissions on these accounts.

    4.Event Logs: Check the event logs on both the client machine and the domain controller for any errors or warnings when the join attempt fails. This can provide more specific information on what might be going wrong.

    5.KB Articles and Updates: Although you mentioned not finding any relevant KB articles, it’s worth looking at the recent updates installed on your domain controllers and clients. Sometimes, updates can change default behaviors or introduce new permissions requirements.

    I think it might be caused by KB, I used to see a similar article, but I can't find it now, please check if you have installed any KB recently.

    Here's how you might go about checking some of these:

    Checking Delegated Permissions:

    1. Open "Active Directory Users and Computers."
    2. Right-click the OU where the computer objects reside and select "Delegate Control."
    3. Use the wizard to review or add user/group permissions for managing computer objects.

    Reviewing Group Policy:

    1. Open "Group Policy Management Console."
    2. Navigate to the relevant policy and check under "Computer Configuration" -> "Policies" -> "Windows Settings" -> "Security Settings" -> "Local Policies" -> "User Rights Assignment."
    3. Look for "Add workstations to domain" and ensure it's correctly configured.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest