Error Message "Access Denied" When You Join a Computer to a Domain

Article translations Article translations
Article ID: 330095 - View products that this article applies to.
This article was previously published under Q330095
Expand all | Collapse all

SYMPTOMS

When you try to join a computer to a domain, the join process might not work, and you might receive an "Access denied" (in Windows XP) or an "Insufficient privileges" (in Microsoft Windows 2000) error message. You receive the error message under the following conditions:
  • You are replacing a client computer with another computer that has the same computer name.
  • The domain user account that you are using for the join process has only the "Add workstation to domain" permission. Therefore, the older computer account is deleted before the replacement occurs.

CAUSE

The client uses a Lightweight Directory Access Protocol (LDAP) server or domain controller that has not yet replicated the account deletion, but does not have correct permissions to modify the account that still exists.

WORKAROUND

To work around this behavior, use any of the following methods:
  • Use a different computer name.
  • Wait for Active Directory replication to occur, or force replication to occur by using the following command:
    repadmin /sync DomainDNtarget DSA GUID._msdcs source DSA GUID /force
  • Use a domain administrator account for the join process.
  • Grant additional permissions to the account that you are using:
    1. Start Adsiedit.msc.
    2. Open the Domain NC, DC=domain, CN=Computers node.
    3. Click Computers, and then click Properties.
    4. On the Security tab, click Advanced.
    5. Click Add, and then click the appropriate user account or group.
    6. In the Apply onto box, click Computer Objects.
    7. In the Permissions pane, click to select the Write All Properties, the Reset Password, and the Apply these permissions to objects/or containers within this container only check boxes.
    8. Click OK until the change is made.
    9. Wait for Active Directory replication to occur, or force synchronization to occur.

STATUS

This behavior is by design.

MORE INFORMATION

Although the client looks for the site in which it is located, the client looks in Domain Name System ( DNS) for LDAP servers in "_ldap._tcp.dc._msdcs.DnsDomainName." This is not site-specific. The client might use an LDAP server (a domain controller) from a remote site that has not yet replicated the deletion of the old computer account. This depends on the Active Directory inter-site replication schedule.

The site information that is received from the LDAP server is used to find the site-specific LDAP servers in "_ldap._tcp.ClientSiteName._sites.dc._msdcs.DnsDomainName." During communication with the local LDAP servers, the client is made aware that its computer account name exists only at the domain controller that is first used. To avoid a potential replication conflict issue, the client uses a domain controller on which the computer account is already known instead of creating a new account. However, the domain user account that you are using for the join process does not have enough permissions to modify the existing account, so the join does not work.

For additional information about the domain controller locator process, click the following article numbers to view the articles in the Microsoft Knowledge Base:
247811 How Domain Controllers Are Located in Windows
314861 How Domain Controllers Are Located in Windows XP

Properties

Article ID: 330095 - Last Review: January 21, 2003 - Revision: 1.3
APPLIES TO
  • Microsoft Windows XP Professional
Keywords: 
kbprb KB330095

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com