ActiveDirectory-remote management tools failed to create user in particular OU

Lancelot_Zheng 21 Reputation points
2020-10-14T08:28:26.697+00:00

Hi Team,

Good day.

We encounter one issue like below:

Issue description:

===========

Failed to create user even if this domain user have full control rights in the particular OU.

32198-1.png

Context:

1.Check the domain user in the particular OU rights,Full access this this OBJ and have the inheritance property.
2.Only one deny policy in the OU,like below:
![32254-2.png]2
3.No firewall settings in the client and the server.

A: (Assessment)

==============

1.Something related to the GPO?
2.2.Which settings cause the remote client can't have the create rights to the OU,even this user already have the full access to this OU?

Troubleshooting Done (Adding your each troubleshooting here):

================

1.If add this domain user to the domain administrator group,this error will fix.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,429 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Fan Fan 15,326 Reputation points Microsoft Vendor
    2020-10-16T03:17:05.807+00:00

    Hi,
    I did a test in my lab as the way you mentioned above. And the effective access was also the same.
    There is no problem to create a user .
    One point: after the permission assign , make sure the configuration replicated to all other DCs. You can do that by the command :Repadmin /syncall /APeD

    1, It seems not related to the deny permission on the everyone.
    Just in case please make sure that when you deny the delete permission, please clear all other properties (such as read and write permission) by pressing clear all :
    32777-10162.jpg

    2,If possible , please try the following way if it works for your situation.
    Remove the users from the permission assignment .assign the permission through other way.
    Right click the OU and select the delegation control ,add the user's name you want to delegate control .
    32803-step1.jpg
    32784-10163.jpg
    32736-10164.jpg

    3,If it still not working, i would suggest you :

    a, Check the admincount attribute is <not set> or 0,
    If the value of adminCount is set to 1 that means the user has, or has been a member of a protected group. The value can be seen in ADUC or ADSIEdit or LDP. Below is the attribute viewed via ADUC.
    32756-10166.jpg
    b, If the user has other group membership and any deny permission was assigned to it.

    Best Regards,

    0 comments No comments

  2. Thameur-BOURBITA 32,831 Reputation points
    2020-10-21T08:45:49.583+00:00

    Hi,

    You have to set a delegation to create new account on OU level you can refer to the following link to get more details:

    delegating-administration-by-using-ou-objects

    Please don't forget to mark this reply as answer if it help you to fix your issue

    0 comments No comments

  3. Lancelot_Zheng 21 Reputation points
    2020-10-22T03:48:05.61+00:00

    Hi FanFan,

    1.I think the syncing process is correct, all the objects in the different DCs are synced.

    2.Use the customized delegation for that user, still not working.

    3.Set the adminaccount property to 0, still failed to create.

    4.We need some advanced troubleshooting steps.

    5.Please advice.

    0 comments No comments

  4. Fan Fan 15,326 Reputation points Microsoft Vendor
    2020-10-23T02:52:25.69+00:00

    Hi,
    It seems no problem with the permission configuration .

    When you open the ADUC tool, was the user prompted to enter an administrative user name and password?
    What did you enter? Any possible the local administrator?
    If the UAC was enabled , I would recommend you closed it and try to create user again.

    Best Regards,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.