Re: Domain Admins Not Fully In Local Administrators

I did a lot more poking and prodding to determine exactly what was going on.
I used Microsoft SysInternals Process Monitor (Procmon.exe ) on “A” and “B”
while trying to open files on the other computer. You can see lots of stuff
going on, but nothing to indicate any problems. [I did find that shell32.dll
was not properly registered on “A”, but this did not change anything]. After
making more tests I determined that non-executable files like text could be
opened by “A”; executable file were being blocked! After carefully
comparing “A” to “B” I still could not find anything out of place. Then I
remembered that Internet Explorer settings can affect local machine and
network behavior. I compared IE between “A” and “B”, but still did not see
any differences. Going back to the fact that text files worked, I knew that
it was the local machine blocking anything that looked like an executable.
[This is the second installation of this new hardware, but it is not that
much different from the other servers which do not have any problems like
this. The other new server is running Windows 2008 and did not experience
any problems like this, but is not suitable for comparison]. Still IE 7.0
burned on my mind. I did some Google searching and found information that
lead me to the answer. It seems that new hardware with Windows 2003 R2 (and
all of the updates) requires entries into the Local Intranet Sites on IE 7.0.
These entries look like “file://<machinename>” or can be entered as
“\\<machinename>” , which get translated to the other entry. So as soon as I
entered “\\B”, I could remotely run an executable located on “B”. THIS IS
ONLY REQUIRED ON THIS NEW SERVER WITH WINDOWS 2003! I guess it is the new
BIOS, CPU or Chipset that allows IE to have this much control over the
machine. Lesson Learned: Microsoft/Intel sure makes things difficult and not
very logical sometimes.

Thanks for taking the time to try to help me out.

Jerry

"Marcin" wrote:

Jerry,
Do you have any GPOs configured such that they would impact the behavior you
described? If so, do Domain Admins have Read and Apply Group Policy
permissions to them? What errors are you getting when trying to access
remote shared DVD drives on other servers? Have you tried disabling IE
Enhanced Security Configuration?

hth
Marcin

"Jerry Banasik" <JerryBanasik@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B7EE53B9-840F-42FE-BC20-44AC6C620B02@xxxxxxxxxxxxxxxx
I have a new server that seems to be lacking full permissions for Domain
Admins. Here is the background and problem:
- Windows 2003 domain controllers
- All existing servers have the latest updates
- Windows 2003 R2 on servers involved - "A" & "B"
- Server "A" was renamed to server "B"
- Removed from the domain
- Renamed to "B"
- Rejoined the domain
- Server "B" is to be dismantled when server "A" is fully operational
- Server "A" was re-created from scratch on new hardware
- All updates were applied to server "A" before joining the domain
- Domain Admin can login into the server "A"
- Domain Admin on server "A" cannot execute programs, download files or
write files located on another server
- Domain Admin on server "A" cannot use shared DVD drive on another server
- Domain Admin on another server can write files to server "A"
- Domain Admin on server "A" must authenticate when opening SQL Server
2005
Reporting Service (SSRS) web page
- Local Admin account (using Run As) does not have any problems opening
SSRS
web pages
- NetDiag does not find any problems
- Domain Admin group is listed in local Administrators group
- Domain Admin group is listed in local Users group
- Different Domain Admin account has the same problem
- Dropped server "A" from the domain
- Deleted server "A" from AD an waited 1 hour for changes to propagate to
other domain controller
- Rejoined server "A" to the domain and problem remains

I am running out of things to check and need some suggestions.

Thanks




.

Relevant Pages

  • Re: Cannot Access Shared C$
    ... out that my server that runs SBS 2003 had a different time ... my server was on Central America Time Zone for some ... >> the domain admin group, even if i add the domain admin ...
    (microsoft.public.windows.server.general)
  • Re: Cannot Access Shared C$
    ... out that my server that runs SBS 2003 had a different time ... my server was on Central America Time Zone for some ... >> the domain admin group, even if i add the domain admin ...
    (microsoft.public.windows.server.setup)
  • Re: Cannot Access Shared C$
    ... out that my server that runs SBS 2003 had a different time ... my server was on Central America Time Zone for some ... >> the domain admin group, even if i add the domain admin ...
    (microsoft.public.windows.server.networking)
  • Re: Server Security
    ... In my opinion you want accountability for administrators and each administrator ... "The" administrator account should not be used and given a very long ... make sure that if there is sensitive information on that server, ... > name with domain admin rights on each. ...
    (microsoft.public.win2000.security)
  • Re: Exchange 2000 containers (Fields) not showing up in active directory!!
    ... Don't need to log on with a domain admin ID. ... exchange should be done, there is a chapter in the up and coming Windows Server ... Joe Richards Microsoft MVP Windows Server Directory Services ... >>be managing users directly from domain controllers, ...
    (microsoft.public.win2000.active_directory)