Created attachment 6967 [details] Client creates computer account. In Win2k we used an account that is member of the group Account Operators to join and rejoin the domain, i.e. create and modify machine accounts. With Samba being member of the group Account Operators does not seem to be sufficiant to create machine accounts, such a user can only work on existing machine accounts. I captured the network traffic from/to the client machine on a Win2k Server while the client uses such an account to join the domain from a machine that has no account on the DC.
Can you re-explain which se- right should grant the capability to do this. I'm pretty sure we don't check this right and have a simple if user had administrative rights
(In reply to comment #1) > Can you re-explain which se- right should grant the capability to do this. > I'm pretty sure we don't check this right and have a simple if user had > administrative rights In w2k it was/is sufficient to be a member of the group Account Operators. I was just testing if it helps to have the right SeMachineAccountPrivileg to ge these privileges but it did not help.