Common Error Messages when Delegating Permissions

The following error message may be seen if proper permissions have not been delegated. The error messages are an interpretation of the direct error received from AD for the LDAP operation. To completely ensure the cause of the error, a packet capture of the join is usually required. A full diagnostic of the join, including the capture, can be created by running the AD Bridge support tool with the domain join parameter:

/opt/pbis/libexec/pbis-support.pl –dj

Follow the prompts to attempt the join and provide the compiled tarball to BeyondTrust Technical Support.

These error messages usually indicate insufficient rights have been given to join.

Error: LW_ERROR_LDAP_CONSTRAINT_VIOLATION [code 0x00009d7b]
Error: ERROR_ACCESS_DENIED [code 0x00000005]

For more information, please see How to Delegate Control in Active Directory.

The following error message usually indicates insufficient rights have been given to move a pre-existing computer object.

Error: LW_ERROR_LDAP_INSUFFICIENT_ACCESS [code 0x00009d8b]

For more information, please see Delegate Control to Move Computer Objects on Rejoin.

The above error may also occur when re-joining to the same OU when using the --ou parameter. It is not necessary to specify the --ou parameter to rejoin a computer to the same OU.

Additional References

Please also see the following references: