0 votes

I'm getting "Access Denied" from domain accounts that have been granted the permission to join a specific computer account to the domain.

It seems to work ok in our testing lab, but not in production.

When we create the computer account, we are selecting a non-privileged account under the "User or group that can join the computer to domain" option.

There is no error during the computer account creation, but the attribute "adm-UserOrGroupThatCanJoinComputerToDomain" is not being set either. Not sure this is supposed to be visible or not....

Thanks

by (950 points)

1 Answer

0 votes
by (18k points)

Hello,

Please open the Permissions dialog for the computer and make sure there are permissions for the user in that dialog.

0


The account that was assigned appears to have full permissions on the computer account.

0

Hello,

Sorry for the delay. The fact that the account has Full Control rights for the computer, means that the user must be able to join the computer to a domain. Our QA team will investigate the possible reasons for why the user receives the Access is Denied error. I'll update this post as soon as they get any results.

0

Thanks - we really need this functionality to work. I appreciate it.

0

I've attached some additional information and findings. It appears that ADAxes is not granting sufficient permission to fully add a computer account in our domain.

0

Also, I would point out that if I add at least the "Reset password" permission manually to the delegated account after creating it with ADAxes, the user is then able to add the computer to the domain.

0

Hello,

We managed to reproduce and fix the issue. The fix is available in the latest build of 2012.1. You can download it here. Upgrade Instructions.

Thank you very much for the bug report!

0

Fixed! Thanks for the quick turnaround. Whenever elegance in software design comes up, I mention your product. Not only for the support structure you have (this forum), but especially the ease with which updates can be applied without breaking the current installation. Many thanks and keep up the good work. Perhaps it will rub off on some other vendors out there....

0

Thank you for the good words :)

0

I'm having the same problem, when I look at the permissions the normal domain user has full control of the object created but we get this error when trying to join the computer to the domain with that user:

"Your computer could not be joined to the domain because the following error occurred: No mapping between account names and security ids was done."

Please let me know how I can correct this. Thanks!

0

Hello,

Please upgrade to the latest version of Adaxes. This must solve the problem. The latest version is 2012.1 (3.3.8218.0).

0

I upgraded and am still getting the same mapping error. Thanks!

0

We'll investigate the issue. For now, please

  • ensure that you are using the correct user name\password combination when prompted for credentials to add the computer to the domain.
  • ensure that you entered the correct DNS Domain name for domain you are trying to join.
0

OUr pre-2000 domain was MITEK, our 2003 domain is mii.com. I used it trying to add the computer and got a different message: Another computer in the domain is already using the specified computer name.

0

What is the exact text of the error message?

0

"Your computer was joined to the domain but using the old name because: Another computer inthe domain is already using the specified computer name"

I have verified there is only the one computer name and it is the one I created with the Adaxes Create Computer function. It did not use that one but create one with the previous specified computer name(not the one I specified when attempting to join it to the domain) in the root Computer OU.

I tried this again by unjoining it back to Workgroups, changed the name first to the name in Active Directory, restarted, then joined it to the domain. It worked fine doing it that way. Thanks!

0

Unfortunately our QA team cannot reproduce the error... Is it reproducible in your environment?

Related questions

0 votes
1 answer

Hello, is there a way to automatically create a user after creating a user in a different domain? Let me explain: We have a Management Domain we own and a new ... be created automatically We got a adaxes service account in both domains. Thanks in advance!

asked May 14, 2019 by Redfruit (100 points)
0 votes
1 answer

Hello, How it works if I have multiple accounts in one domain, and other accounts in others domains managed by Adaxes ? Thank you. Regards. Pierre

asked Jun 9, 2021 by pierre.saucourt (40 points)
0 votes
1 answer

I see a few Q&As dealing with user accounts but don't see one in regards to computer accounts. Is it the same? As feedback, both of these should be documented ... This could be a good place to do so: http://www.adaxes.com/sdk/IAdmInactiveAccountCondition/

asked Mar 31, 2021 by mark.it.admin (1.8k points)
0 votes
1 answer

When creating a new computer record you have the opportunity to choose a user/group whom can add the physical computer. Looking in the Adaxes log I note that this is ... also tried looking for a Powershell command that did so but couldn't find one? Thanks

asked Jan 22, 2013 by firegoblin (1.6k points)
0 votes
1 answer

Hello, I am trying to find out if it would be possible to create a tool/ process on Adaxes that will allow me to create a new AD user and set a time limit on the ... or guides on how i might create a new users or set deletion / disable times? Thanks Rhys

asked Nov 9, 2021 by R_C (70 points)
2,740 questions
2,474 answers
6,475 comments
1,373,652 users