This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 84%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hi All ,
A task sequence completed imaging windows 10 machine but the machine didn't join the domain , looking at the netsetup log I found the following error:
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
I'm sure the "domain join account" have sufficient permissions to create the machine object in the OU named "B" . but also I know this machine have an object in AD in a different OU "A" where the domain join account doesn't have permissions to.
I just don't understand , why the domain join account needs permissions to the OU where the machine currently exist "A" , why permissions to "B" is not enough?
Thanks
No, it won't be moved. It is reused, as is, and in-place.
If that's your intent, you need to implement an additional process to either move the account or delete it before the process begins to side-step your initial permissions issue also.
Because that's the way it works. If an object for the system already exists, then that object will be reused and thus the account used must have permissions on the existing object.
So when you say the machine object will be reused , do you mean it will be moved ?
so if I grant the domain join account a permission to the old OU , now I expect the machine object will be moved from old OU to the new OU ?