Hello, I have been struggling with this error since our Jump Start. We have a service account that is to bind devices to our AD upon enrollment. Every time, both via policy or by going to user preferences I receive this error. My AD account works to bind the devices in User Groups but the Service account receives (plugin encountered an error processing request 10001). The service account CAN bind PC's to AD. Domain is NOT .local Computer name is under 15 characters.

Solved

Plugin encountered an error processing request 10001

Forum|Forum|9 years ago
August 18, 2016
6 replies
198 views

A

Anonymous

Hello, I have been struggling with this error since our Jump Start. We have a service account that is to bind devices to our AD upon enrollment. Every time, both via policy or by going to user preferences I receive this error.

My AD account works to bind the devices in User Groups but the Service account receives (plugin encountered an error processing request 10001).
The service account CAN bind PC's to AD.
Domain is NOT .local
Computer name is under 15 characters.

Best answer by Anonymous

What was needed was to give the JAMF service account proper permissions to the default Computers OU in AD. Go to the Security tab of the Computers OU and give the JAMF service account Full Control. Also, right-click on the Computers OU and create a custom task to delegate control of Computer objects (create and delete) to the JAMF service account.

+16

roiegat
Valued Contributor
Forum|Forum|9 years ago
August 18, 2016

If everything seems to be ok, when it comes to AD binding there is one golden rule - Check the time. The time on the computer has to be the same or very close to the same as the AD server time.

A couple years ago we received macs that were about 6 minutes off fresh out of the box, none of them binded. So I always put a script to sync the time with the time server first and then bind.

Good luck.

Like

+15

mark_mahabir
Jamf Heroes
Forum|Forum|9 years ago
August 18, 2016

Have you read the contents of this thread:
https://jamfnation.jamfsoftware.com/discussion.html?id=9588

Like

A

Anonymous
Forum|Forum|9 years ago
August 18, 2016

Roiegat, I did forget to mention that they are tied to our domain time server and thus it is the same.

Mark, I have seen that before but the solution appears to be a script. I was under the impression that we could just use the directory binding policy unless it is broke. I could try the script but I assume if I receive the 10001 error while going to users and groups, the script would also produce such an error.

Like

A

Anonymous
Answer
Forum|Forum|9 years ago
September 12, 2016

What was needed was to give the JAMF service account proper permissions to the default Computers OU in AD. Go to the Security tab of the Computers OU and give the JAMF service account Full Control. Also, right-click on the Computers OU and create a custom task to delegate control of Computer objects (create and delete) to the JAMF service account.

C

B

bacchusz
New Contributor
Forum|Forum|5 years ago
April 9, 2020

The resolution posted above, when Tyler says JAMF service account, is that the account that should have permissions to bind to the domain in that specific OU?

U