This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
We have given our Service Desk permissions to be able to rename a domained laptop through delegated permissions on computer objects to a container which contains all of our hybrid joined Laptops however when they try to rename a laptop they get the error message:
Can't change the PC name using this account.
The delegated permissions that have been given are the below:
Write All Properties
Validated write to DNS host name
Validated write to service principal name
The users are part of a Security group which is included as Local Admin on the laptop and we have verified that works as they are able to elevate using UAC. The only issue we are having is the renaming a PC part.
On the DC we have also updated the local security policy (Security Settings > Local Policies > Security Options > Network access: Restrict clients allowed to make remote calls to SAM) to include the above security group but that also hasn't worked.
Does anyone know what else we can try to get this part working? The only thing that has worked is temporarily giving them Domain Admin which we do not want to do permanently.
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
Hello Stokesy_889,
Thank you for posting in Microsoft Community forum.
You can try the following four permissions and check if it helps.
You can also give the user or group permissions below via Security tab, then check if it helps.
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
Hi Daisy,
Thanks for coming back to me,
I have tried this with all the settings you have mentioned and asked the Service Desk to test this again however we are still getting the same error message:
Can't change the PC name using this account.
Is there anything else to try?
Thanks
Hello
Greetings!
You can try the permissions below and check if it helps.
If it does not work, it seems it needs "Full Control" permission.
Best Regards,
Daisy Zhou
Hi Daisy,
We have tried this but this still doesn't allow the user to rename a domain laptop.
I'm sure in the past we have given them Full Control over the OU containing the laptops and that still hasn't allowed them to do it. The only way seems to be giving Domain Admin access which obviously we want to avoid doing.
Thanks
Hello
Good day!
If you have given user or user group Full Control over the OU containing the domain machines, you still cannot change the machine name.
1.Please check the option "Protect object from accidental deletion". Do not check the option.
2.Please check if this user has Full Control permissions on this machine via Effective Access tab.
3.If it is not the case about 1 and 2, I suggest you let one account in Domain Admins to rename the machines.
Best Regards,
Daisy Zhou
