Domain Join failed

Domain Join failed

September 11, 2021 Active Directory 0

 

Delegated security group us unable to join the systems to the domain, where IT Admin getting the error as “Access Denied

 

Start your investigation from client machine  NetSetup.log which helps you to track further towards resolution.

06/06/2021 10:25:23:033 NetpModifyComputerObjectInDs: Attribute values to set:

06/06/2021 10:25:23:033   DnsHostName  =  Client-PC.cloudapex.com

06/06/2021 10:25:23:033   ServicePrincipalName  =  HOST/Client-PC.cloudapex.com RestrictedKrbHost/Client-PC.cloudapex.com HOST/Client-PC  RestrictedKrbHost/Client-PC

06/06/2021 10:25:23:033   unicodePwd  =  <SomePassword>

06/06/2021 10:25:23:035 NetpMapGetLdapExtendedError: Parsed [0x2098] from server extended error string: 00002098: SecErr: DSID-03150F93, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

 

To resolve the issue in which users cannot join a computer to a domain, follow these steps:

  1. Click Start, click Run, type dsa.msc, and then click OK.
  2. In the task pane, expand the domain node.
  3. Locate and right-click the OU that you want to modify, and then click Delegate Control.
  4. In the Delegation of Control Wizard, click Next.
  5. Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
  6. In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
  7. Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
  8. Click Next.
  9. In the Permissions list, click to select the following check boxes:
    • Reset Password
    • Read and write Account Restrictions
    • Validated write to DNS host name
    • Validated write to service principal name
  10. Click Next, and then click Finish.

 

Kindly contact us to execute the task simpler for larger infrastructure using Powershell/Dsacls commands

$user = ‘Domain\Username’

$ou = ‘Distinguished Name of OU’

DSACLS $ou /R $user

 

 2,538 total views,  1 views today

Leave a Reply

Your email address will not be published. Required fields are marked *