Microsoft KB Archive/932455

= Error message when non-administrator users who have been delegated control try to join computers to a Windows Server 2003-based domain controller: &quot;Access is denied&quot; =

Article ID: 932455

Article Last Modified on 2/21/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-



SYMPTOMS
On a Microsoft Windows Server 2003-based domain controller, non-administrator users may experience one or more of the following symptoms:  After a specific user or a specific group is provided with the permission to add or to remove computer objects to the domain on an organizational unit (OU) through the Delegation Wizard, users cannot add some of the computers to the domain. When the user tries to join a computer to a domain, users may receive the following error message:

Access is denied.

Note Administrators can join computers to the domain without any issues. Users who are members of the Account Operators group or who have been delegated control cannot create new user accounts or reset passwords when they log on locally or when they log on through terminal services to the domain controller.

When users try to reset a password, they may receive the following error message:

Windows cannot complete the password change for  because: Access is denied.

When users try to create a new user account, they receive the following error message:

The password for username cannot be set due to insufficient privileges, Windows will attempt to disable this account. If this attempt fails, the account will become a security risk. Contact an administrator as soon as possible to repair this. Before this user can log on, the password should be set, and the account must be enabled.





CAUSE
These symptoms may occur if one or more of the following conditions are true:
 * A user or a group has not been granted the Reset Passwords permission for the computer objects.

Note A user or a group cannot join a computer to a domain if the specified user or specified group does not have the Reset Password permission set for the computer objects. Users can create new computer accounts for the domain without this permission. But if the computer account is present in Active Directory already, they will receive the &quot;Access is denied&quot; error message because the Reset Password permission is required to reset the computer object properties for the existing computer object.
 * Users have been delegated control of the Account Operators group or are members of the Account Operators group. These users have not been granted the Read permission on the built-in OU in &quot;Active Directory Users and Computers.&quot;



Users cannot join a computer to a domain
To resolve the issue in which users cannot join a computer to a domain, follow these steps:
 * 1) Click Start, click Run, type dsa.msc, and then click OK.
 * 2) In the task pane, expand the domain node.
 * 3) Locate and right-click the OU that you want to modify, and then click Delegate Control.
 * 4) In the Delegation of Control Wizard, click Next.
 * 5) Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
 * 6) In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
 * 7) Click Only the following objects in the folder, and then from the list, click to select the following check boxes:
 * 8) * Computer objects
 * 9) * Create selected objects in this folder
 * 10) * Delete selected objects in this folder
 * 11) Click Next.
 * 12) In the Permissions list, click to select the following check boxes:
 * 13) * Reset Password
 * 14) * Validated write to DNS host name
 * 15) * Read and write Account Restrictions
 * 16) * Validated write to service principal name
 * 17) Click Next, and then click Finish.
 * 18) Close the &quot;Active Directory Users and Computers&quot; MMC snap-in.

Users cannot reset passwords
To resolve the issue in which users cannot reset passwords, follow these steps:
 * 1) Click Start, click Run, type dsa.msc, and then click OK.
 * 2) In the task pane, expand the domain node.
 * 3) Locate and right-click Builtin, and then click Properties.
 * 4) In the Builtin Properties dialog box, click the Security tab.
 * 5) In the Group or user names list, click Account Operators.
 * 6) Under Permissions for Account Operators, click to select the Allow check box for the Read permission, and then click OK.

Note If you want to use a group or a user other than the Account Operators group, repeat steps 5 and 6 for that group or that user.
 * 1) Close the &quot;Active Directory Users and Computers&quot; MMC snap-in.

Keywords: kbexpertiseadvanced kbtshoot KB932455

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.