>> Hi everybody,
>>
>> since a couple of years, user X can't join a computer to AD if the
>> computer object has been created by user Y.
>
> Why pre-create the computer object before the join ?
hi Rowland,
in order to place it in the correct ou (unless I am mistaken. Is it
possible to specify the target ou during the join? In my memory it was not.)
> The 'net ads join' command will create it for you and if you want
it
> created in a different OU to the standard CN, then the
> 'createcomputer=OU' option will do it for you.
yes, it's correct and it works. Some of the departments local
administrators are not linux people and feel more at ease with ADUC [1].
>
> Also, why are you letting normal users join computers ?
They are not normal users, they are member of some group delegated [2].
The problem arises in the few departments with more than a local admin:
if Alice creates a machine in her ou on ADUC, Bob (a admin in the same
ou) can't perform the join.
Thank you for asking!
Francesco
[1] Active Directory Users and Computer snap-in
[2] https://wiki.samba.org/index.php/Delegation/Joining_Machines_to_a_Domain