Task sequence fails to rejoin a computer to the domain
Hello,
We have a service account that is supposed to add computers to our domain during OSD. It works fine with machines that are not currently on the domain (or have been deleted from AD prior to running the task sequence), but it fails on computers that are currently
on the domain. So far the only suspicious thing I've found in netsetup.log is:
06/16/2011 17:45:06:996 NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: 00000005: SecErr: DSID-031A1169, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Currently the service account has Create computer objects and Read/write all properties rights to the root OU and it is inherited to all sub-OUs. Do you think this issue is related to the rights delegated for the service account?
Thanks in advance!
June 22nd, 2011 9:30pm
Hi
If you are going to re-join the domain you also need delete computer permissions, here is a post from Stefan which describes what permissions are needed:
http://www.msfaq.se/2009/12/creating-a-domain-join-account/
Regards,
Jörgen-- My System center blog ccmexec.com --
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2011 10:04pm
Thanks! This was my suspicion, but I wanted a second opinion before contacting our AD admins.
June 22nd, 2011 10:19pm