vCenter Server fails to query the AD domain join status with LW_ERROR_ACCESS_DENIED
Article ID: 383173
Updated On:
Products
Issue/Introduction
- Failed to query the AD domain join status with the error:
# /opt/likewise/bin/domainjoin-cli queryError: LW_ERROR_ACCESS_DENIED [code 0x00009cde]Incorrect access attempt - In the vCenter UI Administrator - Single Sign On - Configuration - Identity Provider - Active Directory Domain it shows:
The node didn't join any Active Directory
Environment
VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x
Cause
The AD domain account used to join AD domain is disabled.
Resolution
- To verify the issue by using the below command:
/opt/likewise/bin/domainjoin-cli --loglevel verbose --logfile /var/log/domain.log join <domain> <ad-domain-user>
It has the below similar output:
Joining to AD Domain: <domain>With Computer DNS Name: <dc-fqdn><ad-domain-user>'s password:Error: LW_ERROR_ACCOUNT_DISABLED [code 0x00009c78]The user account is disabled
- To resolve this enable the domain user account in AD.
If the domain user account is enabled in Active Directory (AD) but the domain join operation still fails with the error:
"ERROR_ACCESS_DENIED" [Code: 0x00000005],
Then it is recommended to verify the object-level permissions for the user account in AD.
-
Open Active Directory Users and Computers.
-
Locate the object (user, group, computer, or OU) for which you want to modify permissions.
-
Right-click the object and select Properties.
-
Go to the Security tab. (If the Security tab is missing, enable "Advanced Features" in the ADUC View menu.)
-
Click user or group to whom you wish to assign permissions.
-
Select the user/group in the list, then check the desired permissions (e.g., Read, Write, Full Control) for that object.
-
If the required permissions are missing, assign them accordingly. After correcting the permissions, re-attempt the domain join.
Feedback
