LW_ERROR_LDAP_INSUFFICIENT_ACCESS [code 0x00009d8b]

Error

When using AD Bridge and running /opt/pbis/bin/domainjoin-cli join <arguments> to join a Linux or Unix system to the domain, the following error is returned:

/opt/pbis/bin/domainjoin-cli join --ou "MyOU/OU" mydomain.com myadminuser
Joining to AD Domain: mydomain.com
With Computer DNS Name: mycomputer.mydomain.com
myadminuser@mydomain.COM's password:
Error: LW_ERROR_LDAP_INSUFFICIENT_ACCESS [code 0x00009d8b]
LW_ERROR_LDAP_INSUFFICIENT_ACCESS [code 0x00009d8b]

Cause

This error is typically encountered while attempting to re-join an existing computer to the domain. The computer object for this computer still exists in Active Directory (AD) and the admin account you are using to run the domain join command does not have modify permissions for objects in the OU you are trying to join.

Resolution

This can be solved either by removing the existing computer object from AD using Active Directory Users and Computers, or by giving the account modify permissions in the target OU.