Domain Admins can't manage computers

• Previous message: barabba: "Re: EFS - Recovery agent"
• Next in thread: Desmond Lee: "RE: Domain Admins can't manage computers"
• Reply: Desmond Lee: "RE: Domain Admins can't manage computers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 28 Mar 2005 08:06:31 -0800

For some reason I am having some bizard security problem
in my domain:

When I had to modify the member of local security group
(Administrators / Power Users) on workstations, what I
always do is to open "Computer Management" from my own
computer and connect to the destination workstation, then
make the change. There was never a problem doing this in
the last 2 years since out Win2K forest was created.
However recently I am getting error about access denied,
the message looks like this:

"The following error occured while attempting to save
properties of group Administrators on computer XXX: Access
is Denied"

Of course my account is a member of Domain Admins, I also
checked the member of local "Administrators" group on
workstation to make sure that "Domain Admins" is still
there, and it is. I also did this from the domain
controller (logging on as Domain Administrator account,
and connect to the workstation) and I'm getting the same
failure when trying to save my change.

The only way for me to update the member list of local
groups on workstations is to visit the workstation and log
on to it locally, then I have no problem whether I log on
using my own account or the domain administrator.

This is happening to *ALL* workstations (Win2K/ XP) under
the domain and there is no exception, therefore I would
like to eliminate the possibility to be about security
patch / service pack or something specific like that from
thye workstation side.

There is only one D.C under this doamin, all services
running on it are working fine, there is no event log
about this from the server, although each failure was
logged on the workstations, that does not help me to
troubleshoot at all.

I appreicate any hint to solve this problem.

• Previous message: barabba: "Re: EFS - Recovery agent"
• Next in thread: Desmond Lee: "RE: Domain Admins can't manage computers"
• Reply: Desmond Lee: "RE: Domain Admins can't manage computers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Client Setup Wizard Error ... If you use the ConnectComputer wizard to join the workstation to the domain ... How can that work unless all users are Local Administrators at all times? ... On subsequent logins he will get the "You must be a member of the local ... administrators security group on this computer to install and configure ... (microsoft.public.windows.server.sbs) Re: Admin equivalent group ... that you make a member of this custom group also a member ... not have allowed to them but which are to Administrators. ... Security) ... (microsoft.public.windowsxp.security_admin) Re: Unable to add Administrators - Secuirty Group ... "Groups or Built-in security principals" to display some of them. ... In a member ser or workstation the LOCAL Administrators won't show up unless you're doing this at the serverDC itself. ... If you want to assign to a domain Local Security Groups you may need to create a new one manually. ... (microsoft.public.windows.server.active_directory) Re: Creation of Adaptor FILE Configuration Store entries FAiled. ... SQL or was not a member of the machine's administrators group. ... > The Group Policy client-side extension Security failed to execute. ... (microsoft.public.biztalk.server) Re: Error starting debugging - not listed in VS help files ... and made it a member of Administrators on both my workstation and the ... server and now I don't get the error. ... (microsoft.public.dotnet.framework.aspnet)