Rejoining computer to Active Directory Domain

[weisrc]

I'm having a problem giving specific rights to a group of users. I'm trying to allow them to add a computer to the domain, either a new system, or a system that has been rebuilt with the SAME host name.

Currently, this group of users is able to add a new system to the domain, but are UNABLE to add a system to the domain that has been rebuilt with the same host name that was previously on the domain. Is there a specific right I need to give to the group to allow a computer object to be modified? Or...something else?

To go give them rights to add to the domain, I ran the delegated rights wizard which allows them to "create computer objects". I've additionally given them the right to delete computer objects, but this apparently isn't enough...any ideas?

Any help, information, tips, etc would be appreciated! Thanks!

Rob

 

[shorty545]

If you want to add a computer to the domain with the same name as a previous computer, you must first delete the computer name from the Active Directory. After you delete the computer name, you should be able to join the rebuilt machine to the domain.

If at first it does not succeed make sure that before you try to join the PC to the domain, you first unassociate the PC from the domain. Go to System Properties -> Computer Name -> and join it to a default workgroup. After you restart the PC, and the computer name is deleted from the Active Directory, you should be able to go back into System Properties and join the domain.

Hope this helps...

 

[weisrc]

I solved it by going here:

http://www.windowsforumz.com/Create-workstation-account-OU-ftopict440841.html

And giving these special rights as they detailed:

1. Computer Objects: Validated write to service principal name

2. Computer Objects: Read/Write Account Restrictions

3. Computer Objects: Reset Password

Also, I have given the right to create/delete computer objects (delete may not be necessary) to the group.

This allows our tech team the ability to join a PC to the domain after its been rebuilt by overwriting the PC that is left over.

You can make it especially easy to delegate these rights by following that link's instructions and modifying the c:\windows\inf\delegwiz.inf with:

;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS,organizationalUnit,container

Description = "Add and/or join a computer to the domain in an OU (computer)"

ObjectTypes = SCOPE, computer

[template6.SCOPE]
;Right to create computer objects
computer=CC

[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated
write to service principal name", "Account Restrictions"
;----------------------------------------------------------


Just make sure you don't let the lines wrap around in notepad or it doesn't work.

Hope that helps anybody else who has the same problem!

Rob

 

[weisrc]

And yes, some of the code did wrap around. So, DOUBLE check this before trying it.

Rob

 

[ITPangaeaArchitect]

deletion of the computer account does not have to occur if an administrator/domain admin is adding the machine back in...any machine given teh same name will find that computer object and use it....

reset password is the secure channel password and is admins only by default
same with validated write to spn....normal authenticated users cannot adjust this property whereas admins can...



glad to hear ya got it fixed


-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there