RIS Build - Access is denied
in [Windows Servers]
|
Prev: Volume Shadow Copy Problems
Next: Can't load profile
From: Ken Zhao [MSFT] on 21 Dec 2005 03:31 Hi Dinny, Thanks for your reply! I am sorry that our information does not help you. For the current situation, I suggest you help me collect the following information so that I can perform further research to see if we can find any clues from the information. Please send me the system information file of the RIS server. To do this, let's use the following steps: 1. Click on Start, then Programs, Accessories, System Tools, and finally System Information. 2. When System Information opens, let's click on File and select Save. 3. A "Save Copy As" window will appear. 4. Click the down-arrow next to the "Save In" box and select "Desktop". 5. In the "File Name" box, type your case number. Now click Save. 6. This is saving the information from System Information into a MSInfo file that will be placed on the Windows desktop. 7. Attach the file (<CASE_NUMBER>.nfo) to your email and send it to me (v-kzhao(a)microsoft.com). Please send me an event log file on the client computer with the issue. 1. Click Start and choose Run. Then input: eventvwr 2. Right-click Application, select Save Log File As, name the txt file and save it. 3. Right-click Security, select Save Log File As, name the txt file and save it. 4. Right-click System, select Save Log File As, name the txt file and save it. 5. Send it to me. I hope we will find some clues from the information. I will do my best to perform the necessary research using the information. Thanks & Regards, Ken Zhao Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | Thread-Topic: RIS Build - Access is denied | thread-index: AcYErQc6LuEmSi+TQ0ixRHNsrgNhjw== | X-WBNR-Posting-Host: 194.60.125.248 | From: "=?Utf-8?B?ZGlubnk=?=" <dinny(a)nospam.postalias> | References: <87095BFC-FDE5-4063-9B1F-D4FE5DED4F7D(a)microsoft.com> <2XY9ovUAGHA.832(a)TK2MSFTNGXA02.phx.gbl> <74868CAA-6DB1-4F7E-8AC9-9FC2DF949195(a)microsoft.com> <ROeYk1HBGHA.3764(a)TK2MSFTNGXA02.phx.gbl> | Subject: RE: RIS Build - Access is denied | Date: Mon, 19 Dec 2005 07:01:02 -0800 | Lines: 30 | Message-ID: <D8D08BED-3447-4F28-AD30-E0978AD19C29(a)microsoft.com> | MIME-Version: 1.0 | Content-Type: text/plain; | charset="Utf-8" | Content-Transfer-Encoding: 7bit | X-Newsreader: Microsoft CDO for Windows 2000 | Content-Class: urn:content-classes:message | Importance: normal | Priority: normal | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 | Newsgroups: microsoft.public.windows.server.general | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250 | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.general:84155 | X-Tomcat-NG: microsoft.public.windows.server.general | | Hi Ken, | | I've looked through the links you gave and nothing in them seems to explain | the behavior that I am seeing. | | I am happy with how and why things "ought" to work. My point is that things | are not working like that - even though I believe the set up to be as it | should be. | | It still seems to me that there is some undocumented or erroneous behaviour | in the situation that I am experiencing? | | If the build user did not have the rights to add workstations to the domain | that should never work surely? Similarly if it has no rights to "re-add" a | machine account - then it could never "re-add" an account - but it can. | What I am trying to find out is what makes it fail purely in the situation | when the computer account already exists and has been created via RIS by the | same build user (but when that build user was a member of the domain admins | group). | | I do not think that question/answer is touched upon in any of the links? | | I appreciate that perhaps the question may be outside of the scope of the | newsgroup service - in which case just let me know. | | Cheers | | Dinny | | |
From: dinny on 22 Dec 2005 05:19 Hi Ken. I can happily send you that info but I don't think it will help. I do not believe that the issue is linked to a particular RIS server or client. It seems to be linked to the permissions assigned to a computer object in AD when that object is created via RIS (or perhap otherwise too) with a build account in domain admin as opposed to when that object is created by RIS with a build account granted the appropriate rights but not in domain admin. Even if I format the client - the issue still occurs as it relates to the computer object in AD - not the client OS itself. I logged the call hoping that perhaps something relating to this behaviour might be in Microsoft's internal knowledge base. I'm not sure what test facilities you have access to? But if you have a RIS server and 2 or three PCs - build a couple of PCs via a build account that is in domain admins. Then remove the build acc from domain admin - but delegate it the right to join computers to the domain (or set these same rights via a security policy). Let all the policies and membership sync. If you then experience the same issue as me - you should be able to build new PCs via RIS OK - but you should not be able to re-build the previously created PCs (unless you remove the computer object from AD first). If you don't get the issue then I guess I'll be convinced I've done something wrong somewhere. If you do get the issue - maybe you'll be able to work out why? I am 99% certain that the issue lies in AD itself rather than the RIS server or client config though. Dinny
From: Ken Zhao [MSFT] on 26 Dec 2005 05:23 Hi Dinny, Thanks for your reply! If possible, please send the information to me to see if we can find some clues from the information. I will do my best to perform the necessary research using the information. Thanks & Regards, Ken Zhao Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | Thread-Topic: RIS Build - Access is denied | thread-index: AcYG4SFQihZloPjYTO+TzlqAg8sOeg== | X-WBNR-Posting-Host: 194.60.125.248 | From: "=?Utf-8?B?ZGlubnk=?=" <dinny(a)nospam.postalias> | References: <87095BFC-FDE5-4063-9B1F-D4FE5DED4F7D(a)microsoft.com> <2XY9ovUAGHA.832(a)TK2MSFTNGXA02.phx.gbl> <74868CAA-6DB1-4F7E-8AC9-9FC2DF949195(a)microsoft.com> <ROeYk1HBGHA.3764(a)TK2MSFTNGXA02.phx.gbl> <D8D08BED-3447-4F28-AD30-E0978AD19C29(a)microsoft.com> <5I9HmjgBGHA.2560(a)TK2MSFTNGXA02.phx.gbl> | Subject: RE: RIS Build - Access is denied | Date: Thu, 22 Dec 2005 02:19:02 -0800 | Lines: 31 | Message-ID: <DA72608D-10DF-4FE3-9FE6-57AD8FF8199E(a)microsoft.com> | MIME-Version: 1.0 | Content-Type: text/plain; | charset="Utf-8" | Content-Transfer-Encoding: 7bit | X-Newsreader: Microsoft CDO for Windows 2000 | Content-Class: urn:content-classes:message | Importance: normal | Priority: normal | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 | Newsgroups: microsoft.public.windows.server.general | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250 | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.general:84391 | X-Tomcat-NG: microsoft.public.windows.server.general | | Hi Ken. | | I can happily send you that info but I don't think it will help. I do not | believe that the issue is linked to a particular RIS server or client. It | seems to be linked to the permissions assigned to a computer object in AD | when that object is created via RIS (or perhap otherwise too) with a build | account in domain admin as opposed to when that object is created by RIS with | a build account granted the appropriate rights but not in domain admin. Even | if I format the client - the issue still occurs as it relates to the computer | object in AD - not the client OS itself. | | I logged the call hoping that perhaps something relating to this behaviour | might be in Microsoft's internal knowledge base. | | I'm not sure what test facilities you have access to? But if you have a RIS | server and 2 or three PCs - build a couple of PCs via a build account that is | in domain admins. | Then remove the build acc from domain admin - but delegate it the right to | join computers to the domain (or set these same rights via a security policy). | Let all the policies and membership sync. | If you then experience the same issue as me - you should be able to build | new PCs via RIS OK - but you should not be able to re-build the previously | created PCs (unless you remove the computer object from AD first). | | If you don't get the issue then I guess I'll be convinced I've done | something wrong somewhere. If you do get the issue - maybe you'll be able to | work out why? | I am 99% certain that the issue lies in AD itself rather than the RIS server | or client config though. | | Dinny |
From: dinny on 3 Jan 2006 11:20 Hi Ken, Have just emailed you the info you requested. I didn't include a case no. as I don't believe I have one? Cheers Dinny
From: Ken Zhao [MSFT] on 4 Jan 2006 03:14
Hi Dinny, Thanks for your reply! Regarding the issue, I'd like to provide you with the following article that might be helpful: 817433: Delegated permissions are not available and inheritance is automatically disabled http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 I researched your event log file. However, I have not found the event error 1042 related to the RIS server. For this error, I searched the internet and found the following links that might be helpful to this event error. Event ID 1042 <http://www.eventid.net/display.asp?eventid=1042&eventno=2488&source=BINLSVC &phase=1> I hope the information helps. Thanks & Regards, Ken Zhao Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | Thread-Topic: RIS Build - Access is denied | thread-index: AcYQgY1fEjiiQKcrQJSQWb0LZwYchA== | X-WBNR-Posting-Host: 194.60.125.248 | From: "=?Utf-8?B?ZGlubnk=?=" <dinny(a)nospam.postalias> | References: <87095BFC-FDE5-4063-9B1F-D4FE5DED4F7D(a)microsoft.com> <2XY9ovUAGHA.832(a)TK2MSFTNGXA02.phx.gbl> <74868CAA-6DB1-4F7E-8AC9-9FC2DF949195(a)microsoft.com> <ROeYk1HBGHA.3764(a)TK2MSFTNGXA02.phx.gbl> <D8D08BED-3447-4F28-AD30-E0978AD19C29(a)microsoft.com> <5I9HmjgBGHA.2560(a)TK2MSFTNGXA02.phx.gbl> <DA72608D-10DF-4FE3-9FE6-57AD8FF8199E(a)microsoft.com> <MFpo8ZgCGHA.3764(a)TK2MSFTNGXA02.phx.gbl> | Subject: RE: RIS Build - Access is denied | Date: Tue, 3 Jan 2006 08:20:03 -0800 | Lines: 9 | Message-ID: <05FFD9D9-B2B0-4A59-85D1-FF5BA74E28F0(a)microsoft.com> | MIME-Version: 1.0 | Content-Type: text/plain; | charset="Utf-8" | Content-Transfer-Encoding: 7bit | X-Newsreader: Microsoft CDO for Windows 2000 | Content-Class: urn:content-classes:message | Importance: normal | Priority: normal | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 | Newsgroups: microsoft.public.windows.server.general | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250 | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.general:85023 | X-Tomcat-NG: microsoft.public.windows.server.general | | Hi Ken, | | Have just emailed you the info you requested. | | I didn't include a case no. as I don't believe I have one? | | Cheers | | Dinny | |