Mar 24, '05 09:37:00AM • Contributed by: ndutyme
But now, after the latest 003 security update, trying to bind a Mac to an AD computer account stopped working. It gave me an error at the last stage of the bind saying that the user account didn't have sufficient privileges (referring to the AD user account I supplied) to joint the Mac to the AD computer account. So, I called up a network administrator to help me troubleshoot it, and here is what we found out.
When you create the computer account in AD, just like always, it inherits the permissions of the organizational unit (OU) it was created in. The admin group I am a member of has full permissions on this OU, so the group was added to the computer account with full permissions.
Before the Apple Security Update 2005-003:
The Apple AD plug-in would be fine with this, and realize that the AD user account supplied during the bind was in an AD group that had sufficient permission to join the Mac to the AD computer account.
After the Apple Security Update 2005-003:
The Apple AD plug-in will not check to see if the AD user account supplied during the bind is a member of an AD group with sufficient permissions to join a Mac to the AD computer account.
The Fix:
The way we were able to get around this was to give my AD user account full permissions for the AD computer account that I was trying to bind the Mac to.
