Delegation of permissions to join computers to domain

Hi
Am having some issues with delegating permissions to users for joining machines to the domain.
I have delegated permissions to a group of users which allows then to join machines to the domain, they can join and disjoin but the only problem is they cannot rejoin if the computer account still exists. 
They get the following error
The Join operation was not successful, This could be becuase an existing computer account having name xxxxxx  was previously created
using a different set of credentials.
Access Denied
Can someone tell me what extra delegation permissions i need to give to these users to be able to do this.
Thanks

Hello,
please see http://support.microsoft.com/kb/932455/en-us "Users cannot reset passwords" how to configure the permission to reset the machine password which is required to rejoin machines
to the domain where the machine name already exist in AD.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:  

Similar Messages

  • Using MDT to re-join computers to a domain after a re-image

    Since 2010 we have been using WDS to build, capture and deploy our image across our organisation (A High School) which has worked well enough. While WDS can do all this the build and capture is a little clunky and relies on you to manually installing all
    programmes and then mounting the WIM file and inject the drivers so I have moved us onto MDT for the build and capture before importing the finished WIM file into WDS for deployment.
    This has worked much better as MDT makes it much quicker to get an image up and going (programme silent installs, testing is much quicker etc) and drive management is as simple as telling MDT to put ALL the drivers you want into the image but I have been
    reading that you should link MDT and WDS together.
    I followed the instruction and imported the LiteTouchPE wim file into WDS and we are able to PXE boot right into MDT and either make a new image or capture the one we are working on but I am trying to automate the deployment so it is more like what we have
    when just using WDS for deployment. Because I want to retain the ability to use MDT to make a new image I cannot customise the customesettings.ini file too much and instead I am relying on MDT task sequences for must of the customisations.
    Currently all our systems are pre-staged into WDS (I think it is actually Active Directory at the end of the day but you use wdsutil to pre-stage them) so when we boot into PXE WDS deploys and configures the machines using WDSClientUnattend and ImageUnattend
    XML file so that once the deployment is finished it is sitting at the logon screen waiting for the user to login already joined to the domain and our wireless network.
    I am having trouble trying to achieve this same result using our WDS + MDT combo with the main sticking point being trying to re-join the computer back to the domain (we re-image machines constantly so re-join back to the domain is a must). I wrote/found
    a PowerShell script that does the domain join but because an account already exists (all our machines are pre-staged under their service tag and GUID) it throws an error about their already being an account with that name (the computer still appear to join
    the domain and I can logon using my domain account). Because of this error MDT borks the deployment and doesn't finish up and complains about deployment being in progress etc.
    Is using WDS to boot the LiteTouchPE and then deploying through MDT the best way or are we better off going back to using MDT to do the build and capture and then using WDS and it's pre-staging to do the deploy? I really like that with MDT I can have a little
    more control over driver deployment (recently had a problem where we got a new laptop and injecting the new drivers into the WIM broke the entire image for all our machines except the new one) and software at the time of the re-image (I cannot install the
    Lenovo hotkey software in a virtual machine because it does a hardware check and fails to install so either the entire image needs to be made on a Lenovo or the software doesn't get installed).
    I am currently making a Windows 8.1.1 x64 Enterprise SOE/MOE/whatever you would like to call it using MDT 2013 with WDS running on Windows Server 2012 R2 x64.

    Hello,
    It is better to use so-called "thin" images. These contain only the operating system (in a facility and captures vm). Subsequently pilots and soft will be deployed by the bais of MTD. 
    For drivers I recommend you to use selection profiles. Moreover it is necessary to put a condition in step "Inject Drivers". Condition Type: Variable called MODEL, variable value Latitude E6430 (change the value to the desired model). It is necessary
    to add more step Inject Drivers that type of position. 
    Application level, you import the different applications in MDT allowing you to select only the desired wizard when applications. If you want to automate this step you will need to indicate statically in the task sequence to install applications, this will
    require the creation of several task sequence.
    Best Regards
    Well I am well aware the Microsoft recommends a thin image it is simply not practical in a School environment where Students change in and our of subjects and where the combination of subject specific software is nearly infinite the overhead is too great
    (maybe if we used something like SCCM where we could deploy applications based on OU or group membership).
    All your other points aside my problem/issue/question which appears to have been lost is, how do I rejoin a computer to the domain using MDT?  We re-image laptops constantly and using WDS they rejoin with no problems but using MDT an error is thrown because
    the account already exists.  In WDS we have all our machines pre-staged so is there an MDT equivalent that will let me re-image a laptop and have it re-join the domain under the same account without throwing and error.

  • Anybody know anything about Windows 7 joining Samba/NT4 Domains?

    Hello all,
    I recently failed at getting a computer running Windows 7 to join a Samba server's domain, I was later succesful at joining the machine to the domain after installing Windows 2000 and discovered the solution (adding missing data in the ldap database for the machine account) would possibly have allowed me to join the domain w/ Windows 7 on the client machine.
    While I'd love to find this out by trial and error, I can't experiment right away, since other people need to use these computers.  Google searches seem to yield mixed results; some people have indicated that they've successfully joined domains w/ a Samba PDC or NT4 PDC (which should be, for all intents and purposes ecquivalent feats), but other threads seem to indicate that
    1) there might be regressions in later Win 7 releases, preventing people who formerly were able to join NT4/Samba domains from doing so as of May 2009.
    2) Microsoft considers this functionality (the ability to join NT4 style domains) depracated.
    3) Microsoft has promised to fix things so that Win 7 machines will connect to Samba PDCs.
    I was wondering if, pending my own direct expirementation, somebody could help me cut through the FUD.
    thanks!
    Last edited by pseudonomous (2009-07-29 05:29:40)

    I don't know if I'm ressurecting a dead topic or not, but in my experience Windows 7 fails a trust relationship with samba versions below 3.3.4. After 3.3.4 it joins just fine. I know this because at the time I was running an Ubuntu Server as a samba PDC. I had to recompile a newer version of samba. I replaced it with Arch soon after, which had an up-to-date package.

  • Windows Server 2012 Foundation, in a Workgroup - "The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller"...

    Every few days we see two dialogs with the following messages:
    Dialog 1, title: Check for Licensing Compliance is Incomplete
    The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller.
    Dialog 2, title: Check for Licensing Compliance is Incomplete
    The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller. If the license compliance check cannot be completed, the server will automatically shut
    down in 8 day(s) 23 hour(s) 0 minute(s).
    The server is not (and never has been) joined to a domain or had any DC roles installed. In fact its still connected to the default Workgroup.
    The server was configured in our office and never showed this message until it was installed on site. The main difference from what I can see is that when installed on site it was given a static IP address and does not have any DNS settings in the network
    adapter properties. 
    I have scoured a number of forums on this error but in almost every other instance of this error message the servers are connected to a Domain Controller and the solutions generally are linked to dis-joining and rejoining the domain. Unfortunately this is
    not an option for this scenario.
    I initially thought that adding some relevant DNS server IP address may resolve the issue, however, we have the exact same model server configured exactly the same running at a different site that does not experience this problem. This server also has no
    DNS server configured.
    I have seen a post that suggests turning off the servers "Foundation Checking", but I'm unsure how to do this.

    Thanks for your response Vivian.
    I can confirm that this server is not (and never has been) a member of any active directory, it is configured as a Workgroup server. It was initially configured on a network that does have an active directory, but was never joined to it. During that time it
    never displayed these messages.
    The server was moved into production on a different site and network and setup with a static IP address.The site network does have its own active directory but the server was not joined to it. It is whilst on this new network that these messages began.
    Since my original post DNS servers have been added and the Microsoft activation has been verified, however, the messages are still appearing.
    There are only 2 user accounts configured on this server. The local admin account and another local admin user.
    The remote desktop services roles have been installed but not yet configured. I don't think that has any bearing on this scenario though.
    The description of this error in the above "Introduction to Windows Server 2012 Foundation" link states:
    This error occurs when the server cannot finish checking the requirements for the root domain, forest trust configuration, or both. It usually happens when the server cannot connect to a domain controller. If the situation persists, the server will
    shut down 10 days after the first time the compliance check failed. Each time this error message occurs, it will state the actual time remaining before the server will shut down. If you restart the server after it has shut down because of non-compliance, the
    server will shut itself down again in 3 days.
    The above description leads me to the following question - In a Workgroup environment, does the server still try to contact a domain controller to establish a level of trust? If this is the case could it be that the server can no longer see the initial DC
    on its new network and this is what is triggering the messages?
    Am I clutching at straws here?

  • Windows 7 64bit and Joining Windows 2008 domain

    just installed Windows 7, 64bit. When I tried to join it to the domain I'm getting "network path not found". I've tried to manually add a host record for the computer in DNS but that doesn't work. I've even set the IP static and then registered
    it in DNS. When I do this, I see the host record with the IP (static) but still can't join to the domain. What's the problem and how can I resolve it?

    Hi HawaiiKai,
    What is your Server operating system version, Windows Server 2003, 2008 (R2) or 2012 (R2)?
    You may take a look at the KB article below:
    "Network Path Not Found" Error Message When You Try to Add Workstation to Domain
    Also, please make sure you have Client for Microsoft Networks
    checked on the NIC properties.
    Or you may consider to update the NIC driver.
    A discussion thread here:
    Cannot join domain "the network path was not found"
    If issue insists, in case there is any Domain configuration issue, you may also seek help at the forum below:
    https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS
    Best regards
    Michael Shao
    TechNet Community Support

  • Error in join to SMB domain from windows pc

    hi,
    I have a problem on mac os x server leopard 10.5. I have configured only DNS, Open Directory and SMB as PDC, In SMB service I have configured a windows domain. I have create a SharePoint for Profile folder.
    I have create a test user "user1" and set home. In File Sharing I have set automount as AFP but this is not necessary for windows connection, as believe....
    let's see the problem...
    I go on win machine and set windows domain, enter user1 and password and I can join to my domain.
    Reboot machine and logon screen appear.
    MYDOMAIN is the domain in SMB service, winmachine is the name of win pc used for test.
    now I enter username and password and some error appear in log of SMB service:
    2008/12/01 16:27:00, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/auth/auth.c:checkntlmpassword(309)
    checkntlmpassword: authentication for user [user1] -> [user1] -> [user1] succeeded
    [2008/12/01 16:27:01, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/rpcserver/srv_samr_nt.c:_samr_lookupdomain(2988)
    Returning domain sid for domain MYDOMAIN -> (some code here)
    [2008/12/01 16:27:01, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/auth/auth.c:checkntlmpassword(309)
    checkntlmpassword: authentication for user [user1] -> [user1] -> [user1] succeeded
    [2008/12/01 16:27:01, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:makeconnectionsnum(1087)
    winmachine (192.168.0.120) connect to service profiles initially as user user1 (uid=1025, gid=20) (pid 514)
    [2008/12/01 16:27:17, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/auth/auth.c:checkntlmpassword(309)
    checkntlmpassword: authentication for user [user1] -> [user1] -> [user1] succeeded
    [2008/12/01 16:27:17, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:makeconnectionsnum(1087)
    winmachine (192.168.0.120) connect to service profiles initially as user user1 (uid=1025, gid=20) (pid 514)
    [2008/12/01 16:27:17, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:makeconnectionsnum(1087)
    winmachine (192.168.0.120) connect to service netlogon initially as user user1 (uid=1025, gid=20) (pid 514)
    [2008/12/01 16:27:18, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:close_cnum(1284)
    winmachine (192.168.0.120) closed connection to service profiles
    [2008/12/01 16:27:18, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/auth/auth.c:checkntlmpassword(309)
    checkntlmpassword: authentication for user [user1] -> [user1] -> [user1] succeeded
    [2008/12/01 16:27:18, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:makeconnectionsnum(1087)
    winmachine (192.168.0.120) connect to service user1 initially as user user1 (uid=1025, gid=20) (pid 514)
    [2008/12/01 16:27:18, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_directory(2105)
    open_directory: unable to create WINDOWS. Error was NTSTATUS_OBJECT_NAMECOLLISION
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_directory(2105)
    open_directory: unable to create WINDOWS/system. Error was NTSTATUS_OBJECT_NAMECOLLISION
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_directory(2105)
    open_directory: unable to create WINDOWS. Error was NTSTATUS_OBJECT_NAMECOLLISION
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_directory(2105)
    open_directory: unable to create WINDOWS/system. Error was NTSTATUS_OBJECT_NAMECOLLISION
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_file(391)
    user1 opened file WINDOWS/win.ini read=Yes write=Yes (numopen=2)
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/close.c:closenormalfile(399)
    user1 closed file WINDOWS/win.ini (numopen=0) NTSTATUSOK
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_file(391)
    user1 opened file WINDOWS/win.ini read=Yes write=Yes (numopen=1)
    [2008/12/01 16:27:19, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:makeconnectionsnum(1087)
    winmachine (192.168.0.120) connect to service user1 initially as user user1 (uid=1025, gid=20) (pid 514)
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/close.c:closenormalfile(399)
    user1 closed file WINDOWS/win.ini (numopen=0) NTSTATUSOK
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_file(391)
    user1 opened file WINDOWS/win.ini read=Yes write=No (numopen=1)
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/close.c:closenormalfile(399)
    user1 closed file WINDOWS/win.ini (numopen=0) NTSTATUSOK
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_file(391)
    user1 opened file WINDOWS/win.ini read=Yes write=No (numopen=1)
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_file(391)
    user1 opened file WIND read=Yes write=Yes (numopen=2)
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/close.c:closenormalfile(399)
    user1 closed file WIND (numopen=1) NTSTATUSOK
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/close.c:closenormalfile(399)
    user1 closed file WINDOWS/win.ini (numopen=0) NTSTATUSOK
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_file(391)
    user1 opened file WINDOWS/win.ini read=Yes write=Yes (numopen=1)
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_file(391)
    user1 opened file WINDOWS/inifile.upd read=Yes write=Yes (numopen=2)
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/close.c:closenormalfile(399)
    user1 closed file WINDOWS/inifile.upd (numopen=1) NTSTATUSOK
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/close.c:closenormalfile(399)
    user1 closed file WINDOWS/win.ini (numopen=0) NTSTATUSOK
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_file(391)
    user1 opened file WINDOWS/win.ini read=Yes write=No (numopen=1)
    [2008/12/01 16:27:19, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_file(391)
    user1 opened file WINDOWS/inifile.upd read=Yes write=No (numopen=2)
    [2008/12/01 16:27:29, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/close.c:closenormalfile(399)
    user1 closed file WINDOWS/win.ini (numopen=1) NTSTATUSOK
    [2008/12/01 16:27:29, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/close.c:closenormalfile(399)
    user1 closed file WINDOWS/inifile.upd (numopen=0) NTSTATUSOK
    [2008/12/01 16:27:29, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:close_cnum(1284)
    winmachine (192.168.0.120) closed connection to service profiles
    [2008/12/01 16:27:29, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:close_cnum(1284)
    winmachine (192.168.0.120) closed connection to service netlogon
    [2008/12/01 16:27:29, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:close_cnum(1284)
    winmachine (192.168.0.120) closed connection to service user1
    [2008/12/01 16:27:41, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:makeconnectionsnum(1087)
    winmachine (192.168.0.120) connect to service user1 initially as user user1 (uid=1025, gid=20) (pid 514)
    [2008/12/01 16:27:42, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_directory(2105)
    open_directory: unable to create WINDOWS. Error was NTSTATUS_OBJECT_NAMECOLLISION
    [2008/12/01 16:27:42, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_directory(2105)
    open_directory: unable to create WINDOWS/system. Error was NTSTATUS_OBJECT_NAMECOLLISION
    [2008/12/01 16:27:42, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_directory(2105)
    open_directory: unable to create WINDOWS. Error was NTSTATUS_OBJECT_NAMECOLLISION
    [2008/12/01 16:27:42, 2, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/open.c:open_directory(2105)
    open_directory: unable to create WINDOWS/system. Error was NTSTATUS_OBJECT_NAMECOLLISION
    [2008/12/01 16:28:03, 1, pid=514] /SourceCache/samba/samba-187.8/samba/source/smbd/service.c:close_cnum(1284)
    winmachine (192.168.0.120) closed connection to service user1
    this is an error or warning message?
    someone can help me?
    thank's a lot
    fil

    Yes, you can.
    You will need to configure the virtual network switch as either internal or external.
    Then, you'll need to specify the IP address of the virtual Domain Controller as a DNS Server on the Windows 8.1 device.

  • Join to Windows domain, what is benefits ?

    Hi there,
    I know it's strange question but can you answer it?
    If I make my Mac joined a Windows domain what is benefits I get as a system administrator? Is Windows server policy deployed on Mac (Password policy and so on)?
    Also if a network user (from Windows server) log in to Mac except home folder what I get?
    Thanks for help

    If I make my Mac joined a Windows domain what is benefits I get as a system administrator? Is Windows server policy deployed on Mac (Password policy and so on)?
    You're right - if you authenticate against the Windows domain, then all the Windows policies are in effect - expiration, password restrictions, auditing, etc.
    Also if a network user (from Windows server) log in to Mac except home folder what I get?
    I'm not sure what you mean by this.

  • Joining servers in domain

    We have few servers that are running oracle EBS and JDEdward application. These servers are not on the domain. What will be the impact on application and database if the servers are joined to the domain? Please advice.

    Sami,
    We never had any issues in joining Oracle Apps servers to the network domain, and no additional steps were required, so I believe it is the same for the database.
    For the database, if you want to setup a user account to startup the services instead of the local user, please refer to:
    Note: 401643.1 - How to setup Domain OS User Account Instead of a LocalSystem User, to Start Windows ORACLE Services
    https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=401643.1
    Regards,
    Hussein

  • How to join to virtual domain from windows 8.1 host ??

    Hi there
    does it possible to join to virtual domain from windows 8.1 host or not ??
    I installed windows 8.1 on my system as host windows and then enable windows 8.1 hyper-v and installed windows server 2012 r2 and installed active directory domain service 
    now I want to join to this domain from my windows 8.1 but I can't . I create a user in active directory users and comupers and do it's DNS but can't complete  .
    give me this Error that may be the domain name is not correct or the user name or password is incorrect 
    please help me how can I join to virtual domain from windows 8.1 host in my pc ??
    thanks
    Regards :
    Raha
    whit the best regard : Raha

    Yes, you can.
    You will need to configure the virtual network switch as either internal or external.
    Then, you'll need to specify the IP address of the virtual Domain Controller as a DNS Server on the Windows 8.1 device.

  • Join to the Domain network

    Dear Sir 
    I want to join to the DOMAIN network,i have windows 8.1 single language 64 bit 
    so can i connect to the domain network ?
    pls help me AS SOON AS 
    Your faithfully 
    siraj khan

    Dear Sir 
    I want to join to the DOMAIN network,i have windows 8.1 single language 64 bit 
    so can i connect to the domain network ?
    pls help me AS SOON AS 
    Your faithfully 
    siraj khan

  • Is there any way to log in to active directory from a mac without joining the AD domain?

    I am looking for a way to log in to active directory without having the Mac join the AD domain. Basically i have not been able to understand all the ramifications of joining the AD domain. From what I have read in various documentations on the apple site and some of the AD plug in sites, it seems that if the mac joins the domain, all kinds of group policies get 'transfered' to the mac experience. How exactly does that affect the privileges of the local mac user on their machine? do they need to change their mac password? what happens to their existing home directories? what happens when they have their laptops at home?
    TIA
    Costas Manousakis

    Costas Manousakis wrote:
    The reason i am hesitant about binding the macs is that i'm not sure what are all the effects of that. will they have to change their mac passwords / usernames? more than likely the auto login will have to go. If there are multiple accounts on the mac (ex one admin account and other regular and admin accounts) how does binding affect them? how will it work when the mac is not in the office? if they have admin rights on the mac but not on the windows AD, how will that affect them? Do you know of a source i could go to to find answers for questions like these?
    Unfortunately, the source for answers should be your IT department. I can tell you how my machine works. I have a personal machine with no restrictions and a work machine bound to an Active Directory domain. Even my work machine has few restrictions compared to normal. I have a privileged account I can use if necessary. Also, I'm pretty much a goody-two-shoes so I don't try to circumvent restrictions.
    Basically, the Mac uses a system called Open Directory to manage user accounts. Every Mac comes with its own miniature Open Directory server. If you have a network with MacOS X Server, you can use the server's Open Directory. You can also use Microsoft's Active Directory to perform all the same tasks. The user's logins and passwords would be whatever is on Active Directory. They can change their password on the Mac and it will change the Active Directory password. Active Directory can enforce passwords expirations too.
    I am not an Active Directory administrator, so I can't give you specifics. Pretty much everything you have mentioned can be controlled via Active Directory. That is what it is for. It does require active participation of your IT staff. If you don't have that, then I don't see it working out well. It sounds like a paradox. IT wants to control users, but doesn't want to deal with it. You can't have it both ways. Maybe let it be known among the Mac users that visiting those restricted sites could cause IT to get rid of Mac altogether. That does sound like a probable outcome.

  • Need assistance how to configure RDS on a standalone Server 2012 R2 not joined to a domain

    Hi,
    I need help on how to configure RDS on my standalone server 2012 R2 that is not joined to a domain.  I would also like to see the counterpart of Terminal Services Manager.
    I am familiar with Terminal Services on my old Server 2003 which I migrating.
    Thank you for your assistance.
    Sincerely,
    Ramon

    Hi,
    the dedicated RDS/TS forum is here:
    http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverTS
    Some useful articles, which seem to answer your questions:
    http://support.microsoft.com/kb/2833839
    http://ryanmangansitblog.com/2013/10/30/deploying-a-rdsh-server-in-a-workgroup-rds-2012-r2/
    http://support.risualblogs.com/blog/2014/03/10/setting-up-a-2012-r2-rds-gateway-for-a-workgroup/
    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

  • DHCP in Domain A serving Computers in Domain B

    Hi. I have migrated computers from domain A to domain B. Servers remain in domain A. A trust is in place.
    In domain A I have a domain controller running DNS & DHCP. DNS is secure only/AD Integrated. DHCP is configured to update DNS using a domain account. DHCP in domain A serves computers migrated to domain B.
    I have a domain controller in Domain B running DNS.
    All servers are on the same subnet (domain A and domain B) and in the same building.
    Forwarders are configured in DNS.
    I am no longer able to RDP to computers migrated to domain B by name. I can by IP.
    What is the best configuration for my situation to avoid DNS issues?
    Should I install DHCP on a member server in Domain B and unauthorize the DHCP server in Domain A?
    Kinds Regards,
    Phil.

    Hi Phil,
    I don't think this will confuse the DNS. Because they are different resource records. For example, we have a client named PC1. Then there will be two resource records in the DNS, one is PC1.domainA.local and the other is PC1.domainB.local. Which resource
    record will be used depends on the DNS query. Which DNS suffix will be appended to the DNS query depends on the DNS suffix search list.
    Hope this helps.
    Steven Lee
    TechNet Community Support

  • Error joining to ADS domain - NSS2000

    Hi,
    I have been trying to join a Cisco NSS2000 device to a Windows Server 2008 based active directory and each time that I try to join I see a window with the error "error joining to ADS domain" and "Join to domain is not valid".  I know the credentials I am using are valid and have domain admin rights.  The appliance is also using the DC as an NTP source and I have confirmed the clocks are synced.
    Looking in the CIFS logs I can see the following entries.
    Feb 8 14:06:38 NAS01 winbindd[4525]: Could not fetch sid for our domain MYDOMAIN
    Feb 8 14:10:07 NAS01 winbindd[4525]: [2010/02/08 14:10:07, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
    Feb 8 14:10:07 NAS01 winbindd[4525]: ads_connect for domain MYDOMAIN failed: Cannot read password
    Feb 8 14:15:08 NAS01 winbindd[4525]: [2010/02/08 14:15:08, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
    Feb 8 14:15:08 NAS01 winbindd[4525]: ads_connect for domain MYDOMAIN failed: Cannot read password
    Does anyone have any ideas on how I can successfully join this box to my domain?
    Thanks
    Leigh

    I think I may have answered my own question - I am currently running v1.13 of the firmware and the release notes for this indicate it is not compatible. v1.16 being downloaded now which will hopefuly the resolve the issue.

  • Server is dis joining from the domain radomely

    hi ,
    i have a Greate problem that my applications server in windows 2003 os created on DMZ Zone is randomely disjoing the with DC server on the Same Zone  ,, if ia made it  work group and rejoin the into domain it works for some time and disjoiing again
    ,  can any body suggest me solutions to this porblem as the my application is linked with domain credentials users are bomarding me since morining

    Hi,
    Based on my experiences, disjoining a computer from domain requires manual actions.
    To disjoin a computer, we need to:
    Right click on Computer, select
    Properties.
    Click on Change settings.
    Under Computer Name tab, click on
    Change.
    Then choose Workgroup and input a name for the workgroup.
    You may need to find the user who have done this. You can also make sure that this user doesn’t have administrator rights on the server to prevent this behavior.
    Here are some similar threads below for you references:
    why member server disjoin from a domain
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/78940e07-4dfa-448c-bba4-c46eca75f2d2/why-member-server-disjoin-from-a-domain?forum=winservergen
    A server was not able to be accessed through domain account and found that the server is in WORKGROUP and not join in the domain.
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/ce61743c-3fef-468d-a834-69d1b1598123/a-server-was-not-able-to-be-accessed-through-domain-account-and-found-that-the-server-is-in?forum=winservergen
    I hope this helps.
    Best Regards,
    Amy Wang

Maybe you are looking for

  • How can I restore my original files and settings?

    I had a computer crash and had to send my laptop in for service, in the process of it, I lost some files. All of my files are backed up on external hard drive, though, but I cannot get firefox to open the files now. I lost my custom preferences and s

  • Can you overlay two PDF documents, but use second PDF as watermark to first?

    I have two PDF documents that I want to overlay page by page. (It's a long story, but the purpose is to create an PDF cast. Livescribe Education :: Guest Blog: How To Embed Text Behind a Livescribe Pencast PDF) The known method to do this is basicall

  • Invoice - not matching record found (ODBC -2028) Problem

    hi, when i'm going to raise the invoice based on sales order, it displays above mention error message. if anyone can help me to find this error. here i'm going to retrive previous open sales order and raise an invoce. here is my cording. MB_oInvoice

  • ABAP Add-On Installation issue

    Hi Experts, We are trying to Install our package by using Add On Installation Tool-SAINT but our package is not listed on Installable Add On packages list but to continue Installation we need to have our package on the list. The steps we carried out

  • Removing messeges in RW

    Hi Experts,          some unwanted scenerios in my dev system has filled the RW-> Messege Monitering -> Adapter Engine-> with thousands of system errors  / waiting and holding messeges! I think I need to clean them up. I hav already STOPPED the commu