DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 932455 - Last Review: June 21, 2014 - Revision: 3.0

Symptoms

On a Microsoft Windows Server 2003-based or a Windows Server 2008-based domain controller, non-administrator users may experience one or more of the following symptoms:
  • After a specific user or a specific group is provided with the permission to add or to remove computer objects to the domain on an organizational unit (OU) through the Delegation Wizard, users cannot add some of the computers to the domain. When the user tries to join a computer to a domain, users may receive the following error message:
    Access is denied.
    Note Administrators can join computers to the domain without any issues.
  • Users who are members of the Account Operators group or who have been delegated control cannot create new user accounts or reset passwords when they log on locally or when they log on through terminal services to the domain controller.

    When users try to reset a password, they may receive the following error message:
    Windows cannot complete the password change for username because: Access is denied.
    When users try to create a new user account, they receive the following error message:
    The password for username cannot be set due to insufficient privileges, Windows will attempt to disable this account. If this attempt fails, the account will become a security risk. Contact an administrator as soon as possible to repair this. Before this user can log on, the password should be set, and the account must be enabled.

Cause

These symptoms may occur if one or more of the following conditions are true:
  • A user or a group has not been granted the Reset Passwords permission for the computer objects.

    Note A user or a group cannot join a computer to a domain if the specified user or specified group does not have the Reset Password permission set for the computer objects. Users can create new computer accounts for the domain without this permission. But if the computer account is present in Active Directory already, they will receive the "Access is denied" error message because the Reset Password permission is required to reset the computer object properties for the existing computer object.
  • Users have been delegated control of the Account Operators group or are members of the Account Operators group. These users have not been granted the Read permission on the built-in OU in "Active Directory Users and Computers."

Resolution

Users cannot join a computer to a domain

To resolve the issue in which users cannot join a computer to a domain, follow these steps:
  1. Click Start, click Run, type dsa.msc, and then click OK.
  2. In the task pane, expand the domain node.
  3. Locate and right-click the OU that you want to modify, and then click Delegate Control.
  4. In the Delegation of Control Wizard, click Next.
  5. Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
  6. In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
  7. Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
  8. Click Next.
  9. In the Permissions list, click to select the following check boxes:
    • Reset Password
    • Read and write Account Restrictions
    • Validated write to DNS host name
    • Validated write to service principal name
  10. Click Next, and then click Finish.
  11. Close the "Active Directory Users and Computers" MMC snap-in.

Users cannot reset passwords

To resolve the issue in which users cannot reset passwords, follow these steps:
  1. Click Start, click Run, type dsa.msc, and then click OK.
  2. In the task pane, expand the domain node.
  3. Locate and right-click Builtin, and then click Properties.
  4. In the Builtin Properties dialog box, click the Security tab.
  5. In the Group or user names list, click Account Operators.
  6. Under Permissions for Account Operators, click to select the Allow check box for the Read permission, and then click OK.

    Note If you want to use a group or a user other than the Account Operators group, repeat steps 5 and 6 for that group or that user.
  7. Close the "Active Directory Users and Computers" MMC snap-in.

Applies to
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
Keywords: 
kbexpertiseadvanced kbtshoot KB932455
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support