Delegation of permissions

Lukasz Zalewski lukas at
Thu Oct 11 03:34:24 MDT 2012

Hi Marc
On 11/10/12 10:12, Marc Muehlfeld wrote:
> Matthieu is currently thinking about a modification problem, too. He is
> looking on my bug report at the moment an I provided him some outputs

This is great news :)
>> How are you joining the machines to the domain? - are you explicitly
>> defining
>> the OU they should go to?
> I go on XP to 'network identification' -> 'change' -> click 'Domain' ->
> enter our Domain 'MUC' -> click 'OK' and in the following window I enter
> 'administrator' and it's password. So it is joined to the 'computers'
> container.
Ah possibly this might be the problem. I'm assuming your delegated 
domain joining user does not have permissions granted on CN=Computers
> I'm new to the whole AD thing. During the last 10 years I just
> administrate a s3 domain with XP clients and haven't find out yet, that
> I can directly join to OUs. :-)

You can try the following:
If you have a machine already on the domain with RSAT installed (it 
might work without RSAT as long as the relevant binaries are present) 
you can re-direct the default Computers container:

As Domain Administrator (or equivalently privileged user), run
%SYSTEMROOT%\system32\redircmp <DN path to alternate OU>

Similarly you can redirect default Users container:
%SYSTEMROOT%\system32\redirusr <DN path to alternate OU>

Although i have not used the user one - most of our users are imported 
through scripts or added directly through ADUC

More info:

redircmp will make the new OU container a default container and every 
machine that will be joined to the domain (without explicitly defining 
different OU) will end up there


More information about the samba-technical mailing list