Archived from groups: microsoft.public.win2000.security (
More info?)
OK. If the server is a domain controller you are out of luck as domain controllers do
not have local administrators - just domain administrators. Those bastards! --- Steve
"Rockitman" <anonymous@discussions.microsoft.com> wrote in message
news:d1e301c48abd$3dc13220$a401280a@phx.gbl...
> First of all, this server is a Domain Controller. Thus I
> have no ability to login locally to the machine. I must
> always login to the domain as a domain user. I am a
> member of an administrative group that gives me rights to
> my OU but it is very limited. The error I get when I go
> into Computer Management, Shared Folders, Open Files is:
>
> "System encountered the following error while reading the
> list of open files: Error 5: Access denied"
>
> I'm not privy to group policies so not sure if I am cut
> off there or not. All the domain admins will tell me is
> that I have to be a domain admin to be able to see the
> open files. Not fair! I cannot do my job effectively
> without this ability. Oh I yearn for the old days of
> Novell.
>>-----Original Message-----
>>A local administrator on a domain [or any] computer has a
> lot of power. Why do you
>>believe you can not see who has files open? What error do
> you get? It is possible
>>that there are Group Policy restrictions that can also
> apply to the local
>>administrator while logged on as a domain member. If you
> logon to the local machine
>>as administrator then user configuration Group Policy
> from the domain or OU would not
>>apply to you. There is a user right for debug programs
> that by default has the
>>administrators group as members. If that has been removed
> then some system utilities
>>will not run or only run with certain features. Many of
> the utilities from
>>SysInternals require debug user right. If that user right
> has been configured at the
>>domain/OU level as shown by local setting being different
> than "effective" setting in
>>Local Security Policy, there is nothing you can do about
> it. Of course the local
>>administrator can always remove a computer from the
> domain, but I would not recommend
>>that without permission from domain admins and the local
> administrator may not be
>>able to join the computer to the domain. --- Steve
>>
>