The permissions needed are greater than those provided by the basic delegation wizard. Especially if you are re-joining a computer to a domain and, therefore, overwriting an existing computer object.
The whole thing is outlined here: http://support.microsoft.com/kb/932455
But the summary is this:
Create (computer objects)
Delete (computer objects)
Reset Password (computer objects)
Read and write Account Restrictions (computer objects)
Validated write to DNS host name (computer objects)
Validated write to service principal name (computer objects)
Cheers!
No comments:
Post a Comment