Sign in with
Sign up | Sign in
Your question

Domain Admins can't manage computers

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
March 28, 2005 12:06:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

For some reason I am having some bizard security problem
in my domain:

When I had to modify the member of local security group
(Administrators / Power Users) on workstations, what I
always do is to open "Computer Management" from my own
computer and connect to the destination workstation, then
make the change. There was never a problem doing this in
the last 2 years since out Win2K forest was created.
However recently I am getting error about access denied,
the message looks like this:

"The following error occured while attempting to save
properties of group Administrators on computer XXX: Access
is Denied"

Of course my account is a member of Domain Admins, I also
checked the member of local "Administrators" group on
workstation to make sure that "Domain Admins" is still
there, and it is. I also did this from the domain
controller (logging on as Domain Administrator account,
and connect to the workstation) and I'm getting the same
failure when trying to save my change.

The only way for me to update the member list of local
groups on workstations is to visit the workstation and log
on to it locally, then I have no problem whether I log on
using my own account or the domain administrator.

This is happening to *ALL* workstations (Win2K/ XP) under
the domain and there is no exception, therefore I would
like to eliminate the possibility to be about security
patch / service pack or something specific like that from
thye workstation side.

There is only one D.C under this doamin, all services
running on it are working fine, there is no event log
about this from the server, although each failure was
logged on the workstations, that does not help me to
troubleshoot at all.

I appreicate any hint to solve this problem.
Anonymous
a b 8 Security
March 28, 2005 4:59:05 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Check that the Remote Registry NT Service is enabled. The Server service as
well, if you are going to run mbsacli.exe to manage any of the clients.

Assuming you are in an Active Directory network, move a problematic machine
(one Win2k, one WinXP) into an OU without any Group Policies to eliminate
this possibility.
Naturally you can also use GPMC to check the RSOP for any affected machines.

Do let us know if this helps. Thanks.


"Angus Chen" wrote:

> For some reason I am having some bizard security problem
> in my domain:
>
> When I had to modify the member of local security group
> (Administrators / Power Users) on workstations, what I
> always do is to open "Computer Management" from my own
> computer and connect to the destination workstation, then
> make the change. There was never a problem doing this in
> the last 2 years since out Win2K forest was created.
> However recently I am getting error about access denied,
> the message looks like this:
>
> "The following error occured while attempting to save
> properties of group Administrators on computer XXX: Access
> is Denied"
>
> Of course my account is a member of Domain Admins, I also
> checked the member of local "Administrators" group on
> workstation to make sure that "Domain Admins" is still
> there, and it is. I also did this from the domain
> controller (logging on as Domain Administrator account,
> and connect to the workstation) and I'm getting the same
> failure when trying to save my change.
>
> The only way for me to update the member list of local
> groups on workstations is to visit the workstation and log
> on to it locally, then I have no problem whether I log on
> using my own account or the domain administrator.
>
> This is happening to *ALL* workstations (Win2K/ XP) under
> the domain and there is no exception, therefore I would
> like to eliminate the possibility to be about security
> patch / service pack or something specific like that from
> thye workstation side.
>
> There is only one D.C under this doamin, all services
> running on it are working fine, there is no event log
> about this from the server, although each failure was
> logged on the workstations, that does not help me to
> troubleshoot at all.
>
> I appreicate any hint to solve this problem.
>
Anonymous
a b 8 Security
March 29, 2005 12:01:40 PM

Archived from groups: microsoft.public.win2000.security (More info?)

1. The "Remote Registry" service is running on all
workstations for no problem.

2. Under this domain, we have never configure the "Default
Group Policy", since this problem is happening to *all*
computers, instead of moving all of them to another
location, do you recommand me just disable the default
policy and see how it works out?


>-----Original Message-----
>Check that the Remote Registry NT Service is enabled. The
Server service as
>well, if you are going to run mbsacli.exe to manage any
of the clients.
>
>Assuming you are in an Active Directory network, move a
problematic machine
>(one Win2k, one WinXP) into an OU without any Group
Policies to eliminate
>this possibility.
>Naturally you can also use GPMC to check the RSOP for any
affected machines.
>
>Do let us know if this helps. Thanks.
Anonymous
a b 8 Security
April 1, 2005 1:57:16 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If you enabled an ipsec filtering policy or Windows Firewall on XP Pro
computers you could be blocking access to necessary ports to manage those
computers. File and print sharing port access is needed. See if you can
connect to the administrative share such as C$ on any of those client
computers. If you can not then there is a problem with file and print
sharing. If you can there is another problem. --- Steve


"Angus Chen" <achen2002@yahoo.com> wrote in message
news:26c401c533b0$1b8cf350$a601280a@phx.gbl...
> For some reason I am having some bizard security problem
> in my domain:
>
> When I had to modify the member of local security group
> (Administrators / Power Users) on workstations, what I
> always do is to open "Computer Management" from my own
> computer and connect to the destination workstation, then
> make the change. There was never a problem doing this in
> the last 2 years since out Win2K forest was created.
> However recently I am getting error about access denied,
> the message looks like this:
>
> "The following error occured while attempting to save
> properties of group Administrators on computer XXX: Access
> is Denied"
>
> Of course my account is a member of Domain Admins, I also
> checked the member of local "Administrators" group on
> workstation to make sure that "Domain Admins" is still
> there, and it is. I also did this from the domain
> controller (logging on as Domain Administrator account,
> and connect to the workstation) and I'm getting the same
> failure when trying to save my change.
>
> The only way for me to update the member list of local
> groups on workstations is to visit the workstation and log
> on to it locally, then I have no problem whether I log on
> using my own account or the domain administrator.
>
> This is happening to *ALL* workstations (Win2K/ XP) under
> the domain and there is no exception, therefore I would
> like to eliminate the possibility to be about security
> patch / service pack or something specific like that from
> thye workstation side.
>
> There is only one D.C under this doamin, all services
> running on it are working fine, there is no event log
> about this from the server, although each failure was
> logged on the workstations, that does not help me to
> troubleshoot at all.
>
> I appreicate any hint to solve this problem.
!