HP CIFS Server "net ads join" with Minimum User Permissions
5
Chapter 2 Initial Symptoms and Windows Management
A successful “net ads join” to the domain using the administrator user looks like this:
rmonster->net ads join -U administrator
administrator's password:
Using short domain name -- SNSLATC
Joined 'RMONSTER' to realm 'SNSLATC.HP.COM'
rmonster->
The purpose of these operations is to successfully join the Windows 2003 domain without using
administrator rights. An unsuccessful “net ads join” using an ordinary domain user (which is only a
member of the Domain Users group) looks like this:
rmonster->net ads join -U darla
darla's password:
[2005/09/14 12:49:37, 0] libads/ldap.c:ads_join_realm(1725)
ads_join_realm: ads_add_machine_acct failed (rmonster): Insufficient access
ads_join_realm: Insufficient access
rmonster->
The user darla does not have the required permissions to join a computer object to the domain. Darla
can be added to the Administrators group, or the Domain Admins group, or the Enterprise Admins group,
with full Administrator rights, and successfully execute “net ads join”. But then she does not have
minimum permissions. Below is a join with Darla as a member of Administrators. This is shown because
although Darla with minimum permissions will also join to the domain, the Samba output will be different
than the output with Darla as an administrator:
rmonster->net ads join -U darla
darla's password:
Using short domain name -- SNSLATC
Joined 'RMONSTER' to realm 'SNSLATC.HP.COM'
rmonster->
2.1 AD Users and Computers MMC
All of the operations that are required to assign the user darla the necessary rights and privileges in the
Active Directory are executed with the Active Directory Users and Computers Microsoft Management
Console. Start the console, then click view and select “Advanced Features”: