Hi, Following that link https://support.microsoft.com/en-us/kb/932455 we created a delegation to permit some group to add computers into AD. That works except if some computer with same name was already added (even if this computer with same name was previously cleanly removed from AD). Anyone who has idea what we missed? Cheers, M.
Hai Mathias. I think you forgot the "Add workstations to domain rights" Good example here. http://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/ And best is to use a group for this and not a user. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne > via samba > Verzonden: vrijdag 2 september 2016 15:35 > Aan: samba > Onderwerp: [Samba] [samba] AD, add computers delegation > > Hi, > > Following that link https://support.microsoft.com/en-us/kb/932455 we > created a delegation to permit some group to add computers into AD. > That works except if some computer with same name was already added (even > if this computer with same name was previously cleanly removed from AD). > > Anyone who has idea what we missed? > > Cheers, > > M. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Thank you Louis, I'll have a try! And yep, you're so right about using groups rather than users, so that's what we did ;) I'll try to test that today and come back to tell yall how it went. Have nice week-end if I can't come back today : ) M. 2016-09-02 16:09 GMT+02:00 L.P.H. van Belle via samba <samba at lists.samba.org>:> Hai Mathias. > > I think you forgot the "Add workstations to domain rights" > > Good example here. > http://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/ > > And best is to use a group for this and not a user. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias > dufresne > > via samba > > Verzonden: vrijdag 2 september 2016 15:35 > > Aan: samba > > Onderwerp: [Samba] [samba] AD, add computers delegation > > > > Hi, > > > > Following that link https://support.microsoft.com/en-us/kb/932455 we > > created a delegation to permit some group to add computers into AD. > > That works except if some computer with same name was already added (even > > if this computer with same name was previously cleanly removed from AD). > > > > Anyone who has idea what we missed? > > > > Cheers, > > > > M. > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hello Mathias, Am 02.09.2016 um 15:35 schrieb mathias dufresne via samba:> Following that link https://support.microsoft.com/en-us/kb/932455 we > created a delegation to permit some group to add computers into AD. > That works except if some computer with same name was already added (even > if this computer with same name was previously cleanly removed from AD). > > Anyone who has idea what we missed?This is how I successfully delegated the permissions in the past: https://wiki.samba.org/index.php/Delegation/Joining_Machines_to_a_Domain Regards, Marc
Hi Mark, Very nice piece of doc. I don't read enough Samba's wiki : ) So I did exactly the same as Samba Wiki's doc except for the two next options that I didn't checked: "Read and write DNS host name attributes" "Write servicePrincipalName" Regarding SPN writing during join no SPN should be created (I can't figure a case where joining a computer which is not DC would need such attribute) and for "Read and write DNS host name attributes" perhaps it come implicitly with "Validated write to DNS host name". I expect the DNS entry to be created but I'm not at work now to verify... I'll try to remember to come back to tell if the DNS entry was created. Have a nice week-end :) 2016-09-02 18:02 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:> Hello Mathias, > > Am 02.09.2016 um 15:35 schrieb mathias dufresne via samba: > > Following that link https://support.microsoft.com/en-us/kb/932455 we > > created a delegation to permit some group to add computers into AD. > > That works except if some computer with same name was already added (even > > if this computer with same name was previously cleanly removed from AD). > > > > Anyone who has idea what we missed? > > This is how I successfully delegated the permissions in the past: > https://wiki.samba.org/index.php/Delegation/Joining_Machines_to_a_Domain > > > Regards, > Marc >