-
Title
vastool join or create fails: "Insufficient access to complete operation" Or What right or permission are required to join the domain or create a group? -
Description
What rights are required in Active Directory in order to join the client host to the domain?
Doing one of the below example commands results in the below error:
- /opt/quest/bin/vastool -u user1 join -f yourdomain.com
- /opt/quest/bin/vastool -u user1 create -e -g -i "unix::2295:" gs3unix
ERROR: VAS_ERR_FAILURE: Unspecified failure Caused by: VAS_ERR_LDAP: Error encountered processing ldap result for dn [CN=unix,OU=Groups,DC=EXAMPLE,DC=com], err=00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 . Caused by: LDAP_INSUFFICIENT_ACCESS: Insufficient access to complete operation
You may also see the following running vastool status after a successful join:
WARNING: 402 Computer object has UPN of: <> (expected <host/computer.domainname@realm.com>).
-
Cause
Permissions issue. -
Resolution
If the computer object does not already exist you only need to add the Create Computer Object right for the specific Domain or OU.
If the computer object already exists the joining account requires:
Object permissions:
Reset Password
Object Properties:
Write DNS Host Name Attributes
Write userAccountControl
Write servicePrincipalName
(Optional but recommended)Write Operating System
Write Operating System Version
Write userPrincipalName
RESOLUTION 1:
1 - Run run Active Directory Users and Computers console (dsa.msc) as Domain Administrator.
2 - Click on the OU where the computer account will be added, right click and select Delegate Control.
3 - Add the user on the list and select next
4 - Select a custom task to delegate, select next
5 - Select Computer Objects from the list of objects and next.
6 - Select the above noted permissions and properties.
RESOLUTION 2:
1 - Use a different account with more AD permissions after the -u in the command