Delegation of permissions

Marc Muehlfeld Marc.Muehlfeld at
Thu Oct 11 03:43:04 MDT 2012

Am 11.10.2012 11:34, schrieb Lukasz Zalewski:
>> I go on XP to 'network identification' -> 'change' -> click 'Domain' ->
>> enter our Domain 'MUC' -> click 'OK' and in the following window I enter
>> 'administrator' and it's password. So it is joined to the 'computers'
>> container.
> Ah possibly this might be the problem. I'm assuming your delegated domain
> joining user does not have permissions granted on CN=Computers

I followed this guide 
to grand permissions on CN=computers for the group containing my join-user(s). 
I found some other tutorials on the web with the same way.

If I granted on this way, I get
 > The computer failed to join the domain "muc". Please contact your
 > domain administrator and indicate that the computer failed to
 > update the dnsHostName and/or servicePrincipalName (SPN) attribute
 > in its Active Directory computer account. Once the problem is
 > resolved, you may join the computer to the "muc" domain.

If I grant with any user that is not in this group I get a username/password 

> As Domain Administrator (or equivalently privileged user), run
> %SYSTEMROOT%\system32\redircmp <DN path to alternate OU>
> Similarly you can redirect default Users container:
> %SYSTEMROOT%\system32\redirusr <DN path to alternate OU>

On my machines with the 2003 administration pack I don't have this two 
commands. Maybe it is part of RSAT, what is for W7, right? We currently just 
have XP machines.


Marc Muehlfeld (IT-Leiter)
Zentrum fuer Humangenetik und Laboratoriumsmedizin
Dr. Klein, Dr. Rost und Kollegen
Lochhamer Str. 29 - D-82152 Martinsried
Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-780

More information about the samba-technical mailing list