What rights are required in Active Directory in order to join the client host to the domain?
Doing one of the below example commands results in the below error:
ERROR: VAS_ERR_FAILURE: Unspecified failure Caused by: VAS_ERR_LDAP: Error encountered processing ldap result for dn [CN=unix,OU=Groups,DC=EXAMPLE,DC=com], err=00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 . Caused by: LDAP_INSUFFICIENT_ACCESS: Insufficient access to complete operation
You may also see the following running vastool status after a successful join:
WARNING: 402 Computer object has UPN of: <> (expected <firstname.lastname@example.org>).
If the computer object does not already exist you only need to add the Create Computer Object right for the specific Domain or OU.
If the computer object already exists the joining account requires:
Write DNS Host Name Attributes
(Optional but recommended)
Write Operating System
Write Operating System Version
1 - Run run Active Directory Users and Computers console (dsa.msc) as Domain Administrator.
2 - Click on the OU where the computer account will be added, right click and select Delegate Control.
3 - Add the user on the list and select next
4 - Select a custom task to delegate, select next
5 - Select Computer Objects from the list of objects and next.
6 - Select the above noted permissions and properties.
1 - Use a different account with more AD permissions after the -u in the command