My CNO was a member of Account operator, which is protected. I removed it from this group.
Why is the security changing on my cluster object
Hello everyone I need your help
I have two windows clusters and I still have this error:
The computer object associated with the cluster network name resource 'Cluster Name' could not be updated in domain 'domain.com' during the
Password change operation.
The text for the associated error code is: Access is denied.
The cluster identity 'Cluster$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.
On my object cluster in AD, I notice that it always loses inheritance. I have adjusted the permissions on the OU but since it loses the inheritance I still have the error. What is it that changes the permissions on the cluster object?
Thank you very much for your help
2 additional answers
Sort by: Most helpful
-
Gary Reynolds 9,391 Reputation points
2021-10-15T21:35:38.627+00:00 It sound like your cluster account is being protected by the SDProp process, have a look at this article sdprop which will explains how to check if the SDProp is changing the permissions of your cluster account.
Gary.
-
Limitless Technology 39,371 Reputation points
2021-10-18T10:28:12.867+00:00 Hi there,
When you create a failover cluster and configure clustered services or applications, the failover cluster wizards create the necessary Active Directory computer accounts (also called computer objects) and give them specific permissions. The wizards create a computer account for the cluster itself and this is the reason for the permission changes on clusters.
If the reply is helpful, please Upvote and Accept it as an answer