Discussion:
API for joining a computer to domain
(too old to reply)
w***@nospam.nospam
2006-10-17 15:48:27 UTC
Permalink
Hi Experts,

Currently, I am developing an application to create an computer account and
join it to the domain.

After some investigation from a normal domain join operation, I observed
that there are some permission granted to the user performing the join. For
your information, the delegated permission are:

Write Description
Write Display Name
Write Computer Name (pre-Windows2k)
Validated write to dns host name
Validated write to service principal name
Write Account Restriction
Generic Read
* All the above ACEs are added to the joined computer object.

I have tried to use the following aporoaches to perform the join, but both
failed:

1. I tried the ADSI interface to create the computer object, however, the
permission are not granted. I know that I can delegate the those permission
by editing the security descriptor manually, however, it would be more
appropriate to use some API from the SDK dedicated for such task.

2. I tried the NetJoinDomain to join a computer to the domain, however, it
always give me an error code 0x00000035 which means "Network path was not
found".

Can anyone tell me what API should I use to create the computer and grant
the necessary rights for joining computer to domain?

Thanks in advance!

- Tony Cheung
Arkady Frenkel
2006-10-18 11:57:22 UTC
Permalink
Do you have admin rights , just recollection. OTOH you need
SE_MACHINE_ACCOUNT_NAME to be enabled
http://windowssdk.msdn.microsoft.com/en-us/library/ms718062(VS.80).aspx

Arkady
Post by w***@nospam.nospam
Hi Experts,
Currently, I am developing an application to create an computer account
and join it to the domain.
After some investigation from a normal domain join operation, I observed
that there are some permission granted to the user performing the join.
Write Description
Write Display Name
Write Computer Name (pre-Windows2k)
Validated write to dns host name
Validated write to service principal name
Write Account Restriction
Generic Read
* All the above ACEs are added to the joined computer object.
I have tried to use the following aporoaches to perform the join, but both
1. I tried the ADSI interface to create the computer object, however, the
permission are not granted. I know that I can delegate the those
permission by editing the security descriptor manually, however, it would
be more appropriate to use some API from the SDK dedicated for such task.
2. I tried the NetJoinDomain to join a computer to the domain, however, it
always give me an error code 0x00000035 which means "Network path was not
found".
Can anyone tell me what API should I use to create the computer and grant
the necessary rights for joining computer to domain?
Thanks in advance!
- Tony Cheung
Loading...