Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Delegate Control to Groups

Status
Not open for further replies.
MNMike

MNMike

Technical User
Mar 24, 2003
7
US
I have delegated the right to create computer accounts (default Computers OU) to a group call AddDelComputers. If I add a user to this group, the user cannot actually add computer accounts until I reapply the delegated permission? Is there any way to refresh this when I add/remove a user from the group without re-doing the delegation?

Thanks!
Mike
 
Sort by date Sort by votes
How many DC's are in your network? Are you allowing for the new user to your AddDelComputers to replicate across the network. So that when the user does attempt to create the account, his authentication allows him to do so no matter what DC has done the authentication.


Also try the secedit /refreshpolicy cmd line. See for more information.

You can also change the GPO refresh interval:
Hope this points you in the right direction. Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
We only have two DC's (well four, two in the root domain, and two in our main/child domain). I let it sit all weekend, and it still wouldn't work this morning (I had changed group membership Friday afternoon). The original user that was no longer in the group could still create accounts, while the new user who was in the group could not. I thought it was reapplying the delegation that got it to work today, but that doesn't appear to be the case. This is really flaky!
 
Upvote 0 Downvote
Check the event viewer on the DC's to see if there are errors in the File Replication Service.

I had something similar to this happen on my network and it came down to an error in the Domain level GPO that was disrupting everything throughout AD. I kept getting messages that the GPO's could not be applied Event bla bla bla...

See if you have any messages there. Sounds like replication is interupted or something. Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
There aren't any errors in the event logs on either server. I let it sit overnight and I still can't join a computer to the domain with the user account in my group that I've delegated permissions to.

Very strange... Any other thoughts?

Thanks,
Mike
 
Upvote 0 Downvote
Oops! There was a replication problem between one of my forest root DC's... Turns out the time wasn't synching on this server. However, my delegation STILL doesn't work!

Any other ideas???

Thanks...Mike
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
605
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
722
microsGuy16
microsGuy16
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
374
hairlessupportmonkey
hairlessupportmonkey
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
663
fightaccording
fightaccording
DrB0b
  • Locked
  • Question
HyperV trying to do extended replica to external HDD
Replies
0
Views
253
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top