Creating computer obect with non admin user returing CONSTRAINT_ATT_TYPE instead INSUFF_ACCESS_RIGHTS

Prashanth Reddy 1 Reputation point
2021-11-26T10:57:12.337+00:00

Hi All,

We have Administrator user account by using we can create new entries like "Computer", "InetOrgPerson", "OrganizationalUnit", "Country" in MS AD without any issue.

When trying same with non-admin user for "InetOrgPerson", "OrganizationalUnit", "Country" entries, it is returning "INSUFF_ACCESS_RIGHTS". But, for "Computer" entry instead of "INSUFF_ACCESS_RIGHTS" it is returning "CONSTRAINT_ATT_TYPE" error.

The same payload for "Computer" is working for Admin user. Here, instead "INSUFF_ACCESS_RIGHTS" it is returning "CONSTRAINT_ATT_TYPE".

Is this expected or any thing required in configuration part?

Thanks
Prashanth

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,858 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,351 Reputation points
    2021-11-26T19:59:04.837+00:00

    Hi @Prashanth Reddy

    After a specific user or a specific group is provided with the permission to add or to remove computer objects to the domain on an organizational unit (OU) through the Delegation Wizard, users can't add some of the computers to the domain.

    These symptoms may occur if one or more of the following conditions are true:

    -A user or a group hasn't been granted the Reset Passwords permission for the computer objects.
    -Users have been delegated control of the Account Operators group or are members of the Account Operators group. These users haven't been granted the Read permission on the built-in OU in "Active Directory Users and Computers."

    You can use these article for resolution steps https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/access-denied-when-joining-computers

    ------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

  2. Gary Reynolds 9,391 Reputation points
    2021-11-26T22:16:18.097+00:00

    Hi @Prashanth Reddy

    The reason why the computer account\object creation is working while the other object types are failing with INSUFF_ACCESS_RIGHTS, is that by default a non-admin user can create up to 10 computer objects.

    The CONSTRAINT_ATT_TYPE normally means that the attribute has a pre-defined value, and you are trying to set a value that is not in the predefined list. For example, the country attribute this needs to be a two-letter ISO 3166 country code. i.e. "DE", "AU" and "FR". If you are using the same data for both the admin and non admin users, it's likely that the non-admin user is missing an permission for one of the attributes that you are try to set.

    As a test, try setting the minimum attributes and then increase number of attributes included until you identify which attribute is causing the problem.

    Gary.