Microsoft KB Archive/329195

= Error message &quot;Insufficient Privileges&quot; when you try to join a domain =

Article ID: 329195

Article Last Modified on 6/26/2007

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server

-



This article was previously published under Q329195



SYMPTOMS
When you replace a client computer with a new computer with the same computer name, the join process may not work, and you may receive an error message that states that you do not have the correct privileges



CAUSE
This behavior may occur if the domain user account that you are using to join the domain has only the Add workstation to domain user right but not the Change an existing computer account user right. The client computer uses an Lightweight Directory Access Protocol (LDAP) server and a domain controller that has not yet replicated the account deletion. However, the user account that performs the join operation has insufficient rights to modify the existing account.



RESOLUTION
To work around this behavior, use one of the following methods:

 Use a different computer name. Wait for Active Directory replication to occur, or force it to do so with the following command:

repadmin /sync   ._msdcs   /force

 Use a domain administrator account or grant additional privileges to a defined setup administrator for the join task. To grant additional privileges to a defined setup administrator for the join task:WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

 Start Adsiedit.msc. Locate Domain=NC, DC=, CN=Computers. On Computers, click Properties, click Security, click Advanced, click Add, and then click the defined setup user account or group.</li> In the Permission Entry for Computers dialog box, click Computer Objects in the Apply onto box.</li> Under Permissions, click to select the Write All Properties, Reset Password, and Apply these permissions to objects and/or containers within this container only check boxes.</li> Click OK, click OK, and then click OK again.</li> Wait for Active Directory to replicate, or you can force synchronization by using the command from step 2.</li></ol> </li></ul>

<div class="status_section">

STATUS
This behavior is by design.

<div class="moreinformation_section">

MORE INFORMATION
While the client looks for the site it is in, the client looks in DNS for LDAP servers in _ldap._tcp.dc._msdcs. , which is not site-specific. Then new client may use an LDAP server from a remote site that has not yet replicated the deletion of the old computer account. Whether this happens depends on the Active Directory inter-site replication schedule.

The new client computer uses the site information that it received from this LDAP server to find the site-specific LDAP servers in _ldap._tcp. ._sites.dc._msdcs. . During communication with the local LDAP servers, the client realizes that its computer account name exists only at the domain controller that it initially used.

To avoid potential replication-conflict issues, the client uses a domain controller in which the computer account is already known instead of creating a new account. The domain user account that is used for the join process has insufficient permissions to modify the existing account and the join does not work.

For additional information about the domain controller locator process, click the article numbers below to view the articles in the Microsoft Knowledge Base:

247811 How Domain Controllers Are Located in Windows

314861 How Domain Controllers Are Located in Windows XP

Keywords: kbprb KB329195

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.