Error Message "Access Denied" When You Join a Computer to a Domain (330095)


The information in this article applies to:

  • Microsoft Windows XP Professional
This article was previously published under Q330095

SYMPTOMS

When you try to join a computer to a domain, the join process might not work, and you might receive an "Access denied" (in Windows XP) or an "Insufficient privileges" (in Microsoft Windows 2000) error message. You receive the error message under the following conditions:
  • You are replacing a client computer with another computer that has the same computer name.
  • The domain user account that you are using for the join process has only the "Add workstation to domain" permission. Therefore, the older computer account is deleted before the replacement occurs.

CAUSE

The client uses a Lightweight Directory Access Protocol (LDAP) server or domain controller that has not yet replicated the account deletion, but does not have correct permissions to modify the account that still exists.

WORKAROUND

To work around this behavior, use any of the following methods:
  • Use a different computer name.
  • Wait for Active Directory replication to occur, or force replication to occur by using the following command:

    repadmin /sync DomainDNtarget DSA GUID._msdcs source DSA GUID /force

  • Use a domain administrator account for the join process.
  • Grant additional permissions to the account that you are using:
    1. Start Adsiedit.msc.
    2. Open the Domain NC, DC=domain, CN=Computers node.
    3. Click Computers, and then click Properties.
    4. On the Security tab, click Advanced.
    5. Click Add, and then click the appropriate user account or group.
    6. In the Apply onto box, click Computer Objects.
    7. In the Permissions pane, click to select the Write All Properties, the Reset Password, and the Apply these permissions to objects/or containers within this container only check boxes.
    8. Click OK until the change is made.
    9. Wait for Active Directory replication to occur, or force synchronization to occur.

STATUS

This behavior is by design.

MORE INFORMATION

Although the client looks for the site in which it is located, the client looks in Domain Name System ( DNS) for LDAP servers in "_ldap._tcp.dc._msdcs.DnsDomainName." This is not site-specific. The client might use an LDAP server (a domain controller) from a remote site that has not yet replicated the deletion of the old computer account. This depends on the Active Directory inter-site replication schedule.

The site information that is received from the LDAP server is used to find the site-specific LDAP servers in "_ldap._tcp.ClientSiteName._sites.dc._msdcs.DnsDomainName." During communication with the local LDAP servers, the client is made aware that its computer account name exists only at the domain controller that is first used. To avoid a potential replication conflict issue, the client uses a domain controller on which the computer account is already known instead of creating a new account. However, the domain user account that you are using for the join process does not have enough permissions to modify the existing account, so the join does not work.

For additional information about the domain controller locator process, click the following article numbers to view the articles in the Microsoft Knowledge Base:

247811 How Domain Controllers Are Located in Windows

314861 How Domain Controllers Are Located in Windows XP


Modification Type:MinorLast Reviewed:1/21/2003
Keywords:kbprb KB330095
©2002 Microsoft Corporation. All rights reserved.