Error 'Access Denied' when using Symantec Ghost to join a client to a domain

Article:TECH109554  |  Created: 2007-01-30  |  Updated: 2013-10-26  |  Article URL http://www.symantec.com/docs/TECH109554
Article Type
Technical Solution


Environment

Issue



The error message 'Access Denied' occurs when trying to use the Symantec Ghost Configuration task to join a client computer to a domain.

 


Solution



Below are some of the possible solutions available:

Solution 1:
If the client machine had previously been on the domain and had been added manually, you might see this error. Ghost can only re-add machines to the domain that it had added originally. You will need to manually remove the machine from Active Directory and then add it again via a Console Configuration task.
This is by design for security reasons on domains.  The Ghost User account has limited Domain Admin rights because the Domain Admin would eventually lose control if anyone who gained access to the Console could override the already existing Users accounts. Ghost looks to see which account added the account and if it is not us, then we abort the process.

Here are instructions for creating a Configuration task: http://service1.symantec.com/support/on-technology.nsf/docid/2008012214021160

Active Directory replication and DNS can also be causing problems. If there is an existing computer account associated with the Ghost Client in Active Directory, deleting it and running the task again can resolve the problem.

Solution 2:

  1. Reset the computer account password for the "Ghost Server in Active Directory."
  2. Reset the Ghost service account password in the Ghost Console by going to Tools> Supported Domain List > Edit.
  3. On the Ghost Server remove it from the Domain into a Workgroup, then restart the computer.
  4. On the Ghost Server add it the Domain, then restart the computer.
  5. Use the "Windows Support Tool" "netdiag" to make sure that the "Trust Relationship Test" Passed.
  6. Create only configuration task and run it separately.



Solution 3:
This can happen when the Active Directory domain uses a fully qualified name that is greater than 15 characters. Symantec Ghost 7.5 and earlier work only with domain names that are 15 characters or less.

If the domain name is less than 15 characters and you continue to receive the error message, download and apply the latest Netdom.exe file from Microsoft.

How to download and apply the latest Netdom.exe file
 


Note: Netdom.exe is a Microsoft tool and therefore not supported by Symantec Technicians.  If you have trouble implementing Netdom, please contact Microsoft Technical Support.  The associated command line arguments listed below will need to run with a Task every time you need to add a computer to the Domain.


  1. Download the SP3 Support Tools file from Microsoft. Follow the instructions provided on the Microsoft Web page to apply the tools.
  2. Click Start> Programs.
  3. Click Symantec Ghost, and then click Ghost Console. Click Cancel if the "Symantec Ghost Console Wizard" dialog box appears.
  4. Click File> New> Task.
  5. Click General.
  6. Type a into the "Name: box."
  7. In the "Task steps" section, select Configuration Refresh, Transfer Files, and Execute Command in the check boxes. Clear all the other check boxes.
  8. Click Browse in the "Target Machine Group/Machine section."
  9. Navigate and select the target computer. The computer name will appear in the "Name: box" to the left of the "Browse button."
  10. Click File transfer.
  11. Click In Target Operating System.
  12. Click Add.
  13. Navigate to:
    C:\Program Files\Support Tools.

  14. Locate, and then click Netdom.exe.
  15. Click Open.
  16. Click Command .
  17. Click In Target Operating System.
  18. Type C:\Program Files\Symantec\Ghost\Incoming\netdom.exe into the "Command box."
  19. Type add %computername% /domain:DOMAINNAME /UserD:Administrator /PasswordD:PASSWORD /Server:DOMAINCONTROLLER into the "Arguments box."

    Note: Replace the DOMAINNAME, PASSWORD, and DOMAINCONTROLLER with your specific information. Note that "%computername%" is a variable. Replacing it with a computer name will limit the task to only the named computer. Leaving it as "%computername%" allows the task to be used on multiple computers.
  20. Click Add.
  21. Type C:\Program Files\Symantec\Ghost\Incoming\netdom.exe into the Command box.
  22. Type join %computername% /domain:DOMAINNAME /UserD:Administrator /PasswordD:PASSWORD  /UserO:Administrator /PasswordO:PASSWORD /reboot:10 into the Arguments box. For older computers, increase the "reboot" time to 50 or higher.

    Note: Replace the DOMAINNAME, PASSWORD, and DOMAINCONTROLLER with your specific information. Note that %computername% is a variable. Replacing it with a computer name will limit the task to only the named computer. Leaving it as "%computername%" allows the task to be used on multiple computers.
  23. Click Add.
  24. Click OK.

    Note: If the computer exists on the Domain Controller, the computer must be removed from the Domain Controller before the Console Task is executed.
  25. The client computer will restart after the task is complete.



Workaround
Verify that the Windows File and Printer Sharing feature be installed and enabled on your computer.

To verify if the File and Printer Sharing feature is installed and enabled for Windows 2000/XP

  1. Click Start> Settings> Network and Dial-up Connections.
  2. Click Local Area Connection.
  3. Click File> Properties.
  4. Confirm that "File and Printer Sharing for Microsoft Networks" is on the list. If "File and Printer Sharing for Microsoft Networks" is not on the list, click Install, and then follow the on-screen instructions to install this feature. You may be required to insert the Microsoft Windows 2000 or XP CD into your CD-ROM or DVD-ROM drive.
  5. If "File and Printer Sharing for Microsoft Networks" is on this list, click the check box to the left and ensure a check mark appears in the box.
  6. Click OK.
  7. If prompted, restart the computer.


To verify that "File and Printer Sharing" are installed and enabled in Microsoft Windows Vista:

  1. Go to Start> Network
  2. Click Network and Sharing Center
  3. Ensure that File sharing is on.





 



Legacy ID



2007013111510425


Article URL http://www.symantec.com/docs/TECH109554


Terms of use for this information are found in Legal Notices