Windows 2008 domain admin has no rights
in [Windows Servers]
|
From: Bonno Bloksma on 5 Feb 2010 02:17 Hi, I had some strange permission problem on another server but in the end I think we determined a probable cause. However, this one has me completely blown. Brand new HP DL 380 G6 server. Installed Windows 2008 64bit on it. Logged in as the local administrator everything seems ok. Add the server to a domain. Log on as domein administrator, so far so good except for the standard stuff like I don't heve the right to access the logo for the HP system management homepage and it is not shown as the green square but as blank piece op paper with the link arrow. Strangely enough I then CAN change the logo but first get an error that I am not alowed to access %SystemDrive%\hp\hpsmh\csicon.ico I can then go to that same directory but get a UAC popup twice, once when going to the directory and once when assigning the logo. Is this UAC a symptom of the root cause for my other (real) problem? The realy wierd stuf starts when I want to go to the D: drive which is just a second primary partition on the array. With the standard permissions assigned by Windows, where normal users have persmission to access the root of the drive, I can access the drive as well. When I remove the permission for normal users and leave everything else in place, I as domain admin have NO ACCESS to open the root directory of the D: drive. :-( I have tried removing the server form the domain and adding it to the domain once more, no go. I have delete the partition and added it once more, no go. As soon as I remove the rights for normal users I cannot access the drive anymore. Logged in as the local administrator I can access the D: drive. Permission on the drive: D:\>cacls \ D:\ CREATOR OWNER:(OI)(CI)(IO)F NT AUTHORITY\SYSTEM:(OI)(CI)F BUILTIN\Administrators:(OI)(CI)F I am a member of the Domain admins, the global group Domain Admins is a member of the local group Administrators. I have several other Windows 2008 servers where I seemed to have similar problems at first but for whatever reason I do not have those problems there anymore. What is going on? Bonno Bloksma (MCSE2003 and studying for the 2008 certification.)
From: Meinolf Weber [MVP-DS] on 5 Feb 2010 02:36 Hello Bonno, What you see belongs to the UAC settings, Except the local administrator/domain administrator account all domain admins are belonging to UAC. So either reconfigure(LOWER) the security settings with disabling UAC or use the GPO settings in: Computer configuration, windows settings, security settings, local policies, security options, in the right pane you will find a detailed option for configuration of the UAC. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hi, > > I had some strange permission problem on another server but in the end > I think we determined a probable cause. However, this one has me > completely blown. > > Brand new HP DL 380 G6 server. Installed Windows 2008 64bit on it. > Logged in as the local administrator everything seems ok. > > Add the server to a domain. Log on as domein administrator, so far so > good except for the standard > > stuff like I don't heve the right to access the logo for the HP system > management homepage and it is > > not shown as the green square but as blank piece op paper with the > link arrow. > > Strangely enough I then CAN change the logo but first get an error > that I am not alowed to access > > %SystemDrive%\hp\hpsmh\csicon.ico > > I can then go to that same directory but get a UAC popup twice, once > when going to the directory and > > once when assigning the logo. > > Is this UAC a symptom of the root cause for my other (real) problem? > > The realy wierd stuf starts when I want to go to the D: drive which is > just a second primary > partition on the array. With the standard permissions assigned by > Windows, where normal users have > persmission to access the root of the drive, I can access the drive as > well. > When I remove the permission for normal users and leave everything > else in place, I as domain admin > have NO ACCESS to open the root directory of the D: drive. :-( > I have tried removing the server form the domain and adding it to the > domain once more, no go. > > I have delete the partition and added it once more, no go. As soon as > I remove the rights for normal > > users I cannot access the drive anymore. > > Logged in as the local administrator I can access the D: drive. > Permission on the drive: > D:\>cacls \ > D:\ CREATOR OWNER:(OI)(CI)(IO)F > NT AUTHORITY\SYSTEM:(OI)(CI)F > BUILTIN\Administrators:(OI)(CI)F > I am a member of the Domain admins, the global group Domain Admins is > a member of the local group Administrators. > > I have several other Windows 2008 servers where I seemed to have > similar problems at first but for > whatever reason I do not have those problems there anymore. > What is going on? > Bonno Bloksma > (MCSE2003 and studying for the 2008 certification.)
From: Bonno Bloksma on 5 Feb 2010 07:21 Hello Meinolf, [....] >> The realy wierd stuf starts when I want to go to the D: drive which is >> just a second primary >> partition on the array. With the standard permissions assigned by >> Windows, where normal users have >> persmission to access the root of the drive, I can access the drive as >> well. >> When I remove the permission for normal users and leave everything >> else in place, I as domain admin >> have NO ACCESS to open the root directory of the D: drive. :-( >> I have tried removing the server form the domain and adding it to the >> domain once more, no go. >> >> I have delete the partition and added it once more, no go. As soon as >> I remove the rights for normal users I cannot access the drive anymore. > What you see belongs to the UAC settings, Except the local administrator/domain administrator > account all domain admins are belonging to UAC. So far I understand what you mean but... > So either reconfigure(LOWER) the security settings with disabling UAC or use the GPO settings in: > Computer configuration, windows settings, security settings, local policies, security options, in > the right pane you will find a detailed option for configuration of the UAC. I have found those options and indeed I can disable the UAC altogether for the domain admins but... If it is indeed a UAC thing then why am I completely denied access to the root of the D: drive in stead of just getting a UAC prompt? Why does the system not even ask me whether the action I want to perform is indeed what I want? Bonno Bloksma
From: Meinolf Weber [MVP-DS] on 5 Feb 2010 07:46 Hello Bonno, Please post all configured share and NTFS permissions on the d-drive here. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hello Meinolf, > > [....] > >>> The realy wierd stuf starts when I want to go to the D: drive which >>> is >>> just a second primary >>> partition on the array. With the standard permissions assigned by >>> Windows, where normal users have >>> persmission to access the root of the drive, I can access the drive >>> as >>> well. >>> When I remove the permission for normal users and leave everything >>> else in place, I as domain admin >>> have NO ACCESS to open the root directory of the D: drive. :-( >>> I have tried removing the server form the domain and adding it to >>> the >>> domain once more, no go. >>> I have delete the partition and added it once more, no go. As soon >>> as I remove the rights for normal users I cannot access the drive >>> anymore. >>> >> What you see belongs to the UAC settings, Except the local >> administrator/domain administrator account all domain admins are >> belonging to UAC. >> > So far I understand what you mean but... > >> So either reconfigure(LOWER) the security settings with disabling UAC >> or use the GPO settings in: Computer configuration, windows settings, >> security settings, local policies, security options, in the right >> pane you will find a detailed option for configuration of the UAC. >> > I have found those options and indeed I can disable the UAC altogether > for the domain admins but... > If it is indeed a UAC thing then why am I completely denied access to > the root of the D: drive in > stead of just getting a UAC prompt? > Why does the system not even ask me whether the action I want to > perform is indeed what I want? > Bonno Bloksma >
From: Ace Fekay [MVP-DS, MCT] on 5 Feb 2010 09:53
"Bonno Bloksma" <bbloksma(a)xs4all.nl> wrote in message news:4b6c0d26$0$22938$e4fe514c(a)news.xs4all.nl... > Hello Meinolf, > > [....] >>> The realy wierd stuf starts when I want to go to the D: drive which is >>> just a second primary >>> partition on the array. With the standard permissions assigned by >>> Windows, where normal users have >>> persmission to access the root of the drive, I can access the drive as >>> well. >>> When I remove the permission for normal users and leave everything >>> else in place, I as domain admin >>> have NO ACCESS to open the root directory of the D: drive. :-( >>> I have tried removing the server form the domain and adding it to the >>> domain once more, no go. >>> >>> I have delete the partition and added it once more, no go. As soon as >>> I remove the rights for normal users I cannot access the drive anymore. > >> What you see belongs to the UAC settings, Except the local >> administrator/domain administrator account all domain admins are >> belonging to UAC. > > So far I understand what you mean but... > >> So either reconfigure(LOWER) the security settings with disabling UAC or >> use the GPO settings in: >> Computer configuration, windows settings, security settings, local >> policies, security options, in the right pane you will find a detailed >> option for configuration of the UAC. > > I have found those options and indeed I can disable the UAC altogether for > the domain admins but... > If it is indeed a UAC thing then why am I completely denied access to the > root of the D: drive in stead of just getting a UAC prompt? > Why does the system not even ask me whether the action I want to perform > is indeed what I want? > > Bonno Bloksma > > Are there any restrictions that were placed using a GPO, or a security template applied to a GPO affecting this machine in the OU it's in? -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. |