If you have computers that aren’t joining the domain during the task sequence, and you receive the following errors in the C:\Windows\debug\NetSetup.log file, the cause is most likely the rights on the service account used on the Join Domain/Apply Network Settings item in the task sequence.
NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: 00000005: SecErr: DSID-031A11CC, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
NetpModifyComputerObjectInDs: ldap_modify_s failed: 0x32 0x5
NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5
NetpProvisionComputerAccount: LDAP creation failed: 0x5
To fix this, you need to modify the service account delegation rights. In ADUC:
- Identify the security principal that you want to delegate permissions for.
- Identify the container or OU where you want to allow users to manipulate computer objects.
- Right click the container or OU and choose Delegate Control.
- The Delegation of Control Wizard opens, click Next.
- The Users or Groups window opens:
Select the security principal you want to grant permissions to, and then click Next again. - The Tasks to Delegate window opens:
Select Create a custom task to delegate and click Next. - The Active Directory Object Type window opens:
Select Only the following objects in the folder and then select Computer objects. At the bottom of the window, select Create selected objects in this folder and Delete selected objects in this folder, and click Next. - The Permissions window opens
Select General and Property-specific options, and then select these permissions:
– Read All Properties
– Write All Properties
– Reset Password
– Read and write Account Restrictions
– Validated write to DNS host name
– Validated write to service principal name - The Completing the Delegation of Control Wizard window will open showing you a summary of the actions. Click Finish.
Test your imaging process now.
Notes