Wednesday, September 13, 2006

RIS Install Notes

JSI Tip 3060. What rights are needed for a RIS server to create machine accounts?
Users can create their own machine accounts (Low security) - For this option, modify the security on the container that will hold the new MAOs to include an Access Control Entry (ACE) for the user (or group) allowing the Create All Child Objects permission. The creator of this object becomes the owner, giving the creator full control of this object only. This option allows the user to reinstall, if required, without administrator assistance.

I forgot a couple items. First, I need to install RIS with Enterprise Admin rights. Since we have 2 domains (root and primary) I needed to give administrative rights on the RIS server to the correct root\account.

My second issue is documented above. Instead of requiring "Domain Admin" rights, we decided to create a domain group of "RIS Operators" which had permissions to perform a RIS installation. To do that, I needed to run ADSI edit from a domain controller, go to properties of the RIS computer and then the security tab. Give the Self object "create all child objects" and "delete all child objects" permissions.

I almost remember reading about this permission but had forgotten it and couldn't find it again on Microsoft's website.
RIS server wont authorise


What OS and SP?  Are you getting other binl event IDs, like 7000, 1047 and 
1007?
Did you successfully complete risetup?
It could be permissions-related. The computer account of Self has to be
granted
the Create All Child object access on the computer object of the Ris Server
in AD.