Error message "Insufficient Privileges" When You Try to Join the Domain (329195)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
This article was previously published under Q329195

SYMPTOMS

When you replace a client computer with a new computer with the same computer name, the join process may not work, and you may receive an error message that states that you do not have the correct privileges

CAUSE

This behavior may occur if the domain user account that you are using to join the domain has only the "Add workstation to domain" permission but not the "change an existing computer account" permission. Because of this, the old computer account was deleted before the computer is replaced. The client uses an LDAP server/domain controller which has not yet replicated the account deletion, but has incorrect permissions to modify the still-existing account.

RESOLUTION

To work around this behavior, use one of the following methods:
  • Use a different computer name.
  • Wait for Active Directory replication to occur, or force it to do so with the following command:

    repadmin /sync DomainDN target DSA GUID._msdcs source DSA GUID /force

  • Use a domain administrator account or grant additional privileges to a defined setup administrator for the join task. To grant additional privileges to a defined setup administrator for the join task:WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

    1. Start Adsiedit.msc.
    2. Locate Domain=NC, DC=domain, CN=Computers.
    3. On Computers, click Properties, click Security, click Advanced, click Add, and then click the defined setup user account or group.
    4. In the Permission Entry for Computers dialog box, click Computer Objects in the Apply onto box.
    5. Under Permissions, click to select the Write All Properties, Reset Password, and Apply these permissions to objects and/or containers within this container only check boxes.
    6. Click OK, click OK, and then click OK again.
    7. Wait for Active Directory to replicate, or you can force synchronization by using the command from step 2.

STATUS

This behavior is by design.

MORE INFORMATION

While the client looks for the site it is in, the client looks in DNS for LDAP servers in _ldap._tcp.dc._msdcs.DnsDomainName, which is not site-specific. Then new client may use an LDAP server from a remote site that has not yet replicated the deletion of the old computer account. Whether this happens depends on the Active Directory inter-site replication schedule.

The new client computer uses the site information that it received from this LDAP server to find the site-specific LDAP servers in _ldap._tcp.ClientSiteName._sites.dc._msdcs.DnsDomainName. During communication with the local LDAP servers, the client realizes that its computer account name exists only at the domain controller that it initially used.

To avoid potential replication-conflict issues, the client uses a domain controller in which the computer account is already known instead of creating a new account. The domain user account that is used for the join process has insufficient permissions to modify the existing account and the join does not work.

For additional information about the domain controller locator process, click the article numbers below to view the articles in the Microsoft Knowledge Base:

247811 How Domain Controllers Are Located in Windows

314861 How Domain Controllers Are Located in Windows XP

Modification Type:MajorLast Reviewed:11/19/2003
Keywords:kbprb KB329195
©2003 Microsoft Corporation. All rights reserved.