Access Denied When Approving a Pending WDS Client

With WDS you can configure the server to automatically respond to known clients. You can additionally affect the behaviour for unknown clients.

In my environment I have it configured to answer the clients PXE boot request however they are not automatically served for two reasons:

  1. I may want to assign them to a different image or elect to manually install it without the unattended settings
  2. I may want the client to not automatically join the domain
  3. I want to name the something better than MININT-000000ABCDEF

When an unknown client connects to the WDS server the user is presented with a message to say that their request is pending administrative approval on the server.

Using the WDS console, you select the Pending Devices tree and select the option to Name and Approve a client, however doing so presents you with an Access Denied error.

Searching the WDS documentation will tell you that you need to grant permissions in the Active Directory OU to the WDS server computer account to allow it to modify and create computer accounts in the domain.

The instructions are as follows:

  1. In Active Directory Users and Computers (dsa.msc) navigate to the OU you assigned as the OU for new clients in the WDS configuration.
  2. Right click on the OU and select Delegate Control
  3. In the Delegation of Control Wizard, select Next
  4. Add the WDS computer account as the selected User or Group and select Next
  5. Select Create a Custom Task and then select Next
  6. Select Only the following objects and tick Computer Objects
  7. Tick the Create Selected Objects tick box and then select Next
  8. Select the Write All Properties option and then select Next and complete the wizard.

Fairly simple to do, however it you have multiple WDS servers this OU’s ACL is going to get messy quickly, so I decided to create a Global Security Group in the domain and add the computer account for WDS to the group. I then applied the Delegated control to the group.

To my surprise I continued to receive the error on the WDS server even after a restart of the services. I tested it by directly adding the WDS computer account to the ACL and it worked as designed.

The problem here appears to be that the ACL isn’t correctly looking at the group membership and giving the WDS server permission to create the computer account in the domain.


Richard works as a Cloud Consultant for Fordway Solution where his primary focus is to help customers understand, adopt and develop with Microsoft Azure, Office 365 and System Center. Richard Green is an IT Pro with over 15 years' of experience in all things Microsoft including System Center and Office 365. He has previously worked as a System Center consultant and as an internal solutions architect across many verticals. Outside of work, he loves motorbikes and is part of the orange army, marshaling for NGRRC, British Superbikes and MotoGP. He is also an Assistant Cub Scout Leader.