Am upgrading win9x machines to XP. All is well, until I click that "this machine is part of a domain". Then a box prompts for username/pwd of someone with permissions to join this computer to domain. It won't take my account. I am not a network administrator, but have joined many Win2000 machines to the same (Win2000) domain. Am told there is a security feature (or glitch) in NT, etc that restricts a user to only joining 10 machines, and that I must use another user's account. I have access to many with domain permissions, have tried 7 or 8, without success. End result is "access denied". Am getting run-around from Network services. Have many new XP machines about to arrive. Without a "fix", cannot login to Domain. Help!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
add computer to domain
- Thread starter Ksarasara
- Start date
Pretty sure the 10 joins restriction doesn't exist (recently upgraded 15 98 PCs on NT domain, joined them all with the same user). Are you sure somebody hasn't changed your user's access level since you last joined someone to domain (so you can't now)?
You would need to have netork admin priviledges to join any computer to the domain anyway, would you not?
As for the security feature/glitch you mentioned, I agree with wolluf - doesn't exist. I've joined way more than 10 PC's to the domain with no problems. Scotsdude![[bravo]](/data/assets/smilies/bravo.gif "[bravo] [bravo]")
Life is nothing without beer
Help us help you - let us know when our insane scribblings help!!
As for the security feature/glitch you mentioned, I agree with wolluf - doesn't exist. I've joined way more than 10 PC's to the domain with no problems. Scotsdude
Life is nothing without beer
Help us help you - let us know when our insane scribblings help!!
BIGALINWALES
IS-IT--Management
Hey,
I had the problem with only being able to add the 10 computers to the domain before it stopped working. According to a member of a Microsoft Consultancy firm who worked for my company this is apparently by design.
The only way I've found to get around this is to add the computer name into AD first, then add the computer to the domain with a username/password that has network admin priveledges.
Hope this helps
Al
I had the problem with only being able to add the 10 computers to the domain before it stopped working. According to a member of a Microsoft Consultancy firm who worked for my company this is apparently by design.
The only way I've found to get around this is to add the computer name into AD first, then add the computer to the domain with a username/password that has network admin priveledges.
Hope this helps
Al
I'm a little confused here. Only a 2K server can support a true domain. There is no 10 limit of workstations joining a domain/connecting to a serer. W2K Pro, has a 10 connection limit, same as NT workstation did.
You must be an admin to join a workstation to a domain and to have authorization to create a machine account in the domain.
You aren't trying to give more than one machine the same name are you? That won't work. =============
Mens et Manus
=============
You must be an admin to join a workstation to a domain and to have authorization to create a machine account in the domain.
You aren't trying to give more than one machine the same name are you? That won't work. =============
Mens et Manus
=============
Add workstations to domain
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Description
Determines which groups or users can add workstations to a domain.
This policy is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.
Adding a computer account to the domain allows the computer to participate in Active Directory-based networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory.
Default: Authenticated Users.
Note
Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of "Add workstations to domain" have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the "Add workstations to domain" user right, the computer is added, based on the computer container permissions rather than on the user right.
For more information, see:
Security Configuration Manager Tools
- Thread starter
- #8
Well, for this machine, polymath5 had the call. The user had moved from another machine, and the name I had picked still existed on the domain, for that other machine. Hence the "access denied" message (I thought that was odd).
linney's note and link are, according to our security administrator, right on the money, though, for any server with AD. My problem was (and maybe still is) that I had been unable to add another upgraded machine using several other's valid user/pword, the same happened with this one, the security admin added it from his end, then this "access denied" started, and I had to assume the worst. Now that the name problem has been disposed of, this workstation is fine, but it was added from the other end. I have others to add, and many more on the way. We'll see if other users/pwords work. Since the joining to a domain is required for every 2000/XP machine (and all new machines are XP), this restriction is a pain. -Thanks
linney's note and link are, according to our security administrator, right on the money, though, for any server with AD. My problem was (and maybe still is) that I had been unable to add another upgraded machine using several other's valid user/pword, the same happened with this one, the security admin added it from his end, then this "access denied" started, and I had to assume the worst. Now that the name problem has been disposed of, this workstation is fine, but it was added from the other end. I have others to add, and many more on the way. We'll see if other users/pwords work. Since the joining to a domain is required for every 2000/XP machine (and all new machines are XP), this restriction is a pain. -Thanks
Glad you got it sorted out.
What Linney quoted was correct for adding computers, or users for that matter, to a domain. I was speaking from a practical security side. The only groups that should be able to add/delete computers from domains and add/remove members should be Administrators. Unless the enterprise is extremely large. The last thing any organization machines being added secretly or by people not knowing what they are doing. =============
Mens et Manus
=============
What Linney quoted was correct for adding computers, or users for that matter, to a domain. I was speaking from a practical security side. The only groups that should be able to add/delete computers from domains and add/remove members should be Administrators. Unless the enterprise is extremely large. The last thing any organization machines being added secretly or by people not knowing what they are doing. =============
Mens et Manus
=============
- Thread starter
- #10
For those who said they have joined many win 98 machines to the domain, so have I. The problem is the limitation described by linney above, for win2000 and XPpro(could that be for any OS which could run AD?) "any authenticated user ...can create up to 10 computer accounts in the domain"
Again, for this install, this didn't work, even with other authenticated users' logons. When I wrote the last message, I had been assured by phone that the troubleshooter had fixed the problem, that the machine was successfully on the domain. Apparently he didn't check his work. It was not. I found an old guy that knew what to do. What finally worked, was this:
1. In My Computer, remove computer from domain, add to workgroup
2. Change the default workgroup name "workgroup" to the name of the domain desired
3.add a new user to the workgroup, with admin priveleges
4.log back on as that user
5. add the computer to the domain, using the username/pword of some authenticated user that hasn't used his/her 10
6. log in to domain with any valid logon
Why you would have to rename the workgroup first, I don't know, but it did work.
Again, for this install, this didn't work, even with other authenticated users' logons. When I wrote the last message, I had been assured by phone that the troubleshooter had fixed the problem, that the machine was successfully on the domain. Apparently he didn't check his work. It was not. I found an old guy that knew what to do. What finally worked, was this:
1. In My Computer, remove computer from domain, add to workgroup
2. Change the default workgroup name "workgroup" to the name of the domain desired
3.add a new user to the workgroup, with admin priveleges
4.log back on as that user
5. add the computer to the domain, using the username/pword of some authenticated user that hasn't used his/her 10
6. log in to domain with any valid logon
Why you would have to rename the workgroup first, I don't know, but it did work.
You don't have to rename if the domain/workgroup name you are changing from is something other than 'domain or workgroup'.
The reason youhave to change your workstation to a workgroup and then back to a domain is that you are in effect changing the name of the computer on theat workstaion only. The domain still knows your computer by its old name, not the one that it has now. For the workstation to become part of the domain agan, you have to remove the old name from the domain, change the name of the workstation, and then add the workstaion, with its new name, to the domain.
It all has to do with the invisible internal passwords the DC uses to identify the Machine accout, not the user account. =============
Mens et Manus
=============
The reason youhave to change your workstation to a workgroup and then back to a domain is that you are in effect changing the name of the computer on theat workstaion only. The domain still knows your computer by its old name, not the one that it has now. For the workstation to become part of the domain agan, you have to remove the old name from the domain, change the name of the workstation, and then add the workstaion, with its new name, to the domain.
It all has to do with the invisible internal passwords the DC uses to identify the Machine accout, not the user account. =============
Mens et Manus
=============
- Status
Similar threads
- Locked
- Question