RE: Domain Admins can't manage computers
From: Desmond Lee (mcp_at_donotspamplease.mars)
Date: 03/28/05
- Next message: mvanzwieten_at_gmail.com: "Re: Automatically Renewing User Certificates from Inhouse CA?"
- Previous message: Desmond Lee: "RE: Patch listing for MS products"
- In reply to: Angus Chen: "Domain Admins can't manage computers"
- Next in thread: Angus Chen: "RE: Domain Admins can't manage computers"
- Reply: Angus Chen: "RE: Domain Admins can't manage computers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Mar 2005 12:59:05 -0800
Check that the Remote Registry NT Service is enabled. The Server service as
well, if you are going to run mbsacli.exe to manage any of the clients.
Assuming you are in an Active Directory network, move a problematic machine
(one Win2k, one WinXP) into an OU without any Group Policies to eliminate
this possibility.
Naturally you can also use GPMC to check the RSOP for any affected machines.
Do let us know if this helps. Thanks.
"Angus Chen" wrote:
> For some reason I am having some bizard security problem
> in my domain:
>
> When I had to modify the member of local security group
> (Administrators / Power Users) on workstations, what I
> always do is to open "Computer Management" from my own
> computer and connect to the destination workstation, then
> make the change. There was never a problem doing this in
> the last 2 years since out Win2K forest was created.
> However recently I am getting error about access denied,
> the message looks like this:
>
> "The following error occured while attempting to save
> properties of group Administrators on computer XXX: Access
> is Denied"
>
> Of course my account is a member of Domain Admins, I also
> checked the member of local "Administrators" group on
> workstation to make sure that "Domain Admins" is still
> there, and it is. I also did this from the domain
> controller (logging on as Domain Administrator account,
> and connect to the workstation) and I'm getting the same
> failure when trying to save my change.
>
> The only way for me to update the member list of local
> groups on workstations is to visit the workstation and log
> on to it locally, then I have no problem whether I log on
> using my own account or the domain administrator.
>
> This is happening to *ALL* workstations (Win2K/ XP) under
> the domain and there is no exception, therefore I would
> like to eliminate the possibility to be about security
> patch / service pack or something specific like that from
> thye workstation side.
>
> There is only one D.C under this doamin, all services
> running on it are working fine, there is no event log
> about this from the server, although each failure was
> logged on the workstations, that does not help me to
> troubleshoot at all.
>
> I appreicate any hint to solve this problem.
>
- Next message: mvanzwieten_at_gmail.com: "Re: Automatically Renewing User Certificates from Inhouse CA?"
- Previous message: Desmond Lee: "RE: Patch listing for MS products"
- In reply to: Angus Chen: "Domain Admins can't manage computers"
- Next in thread: Angus Chen: "RE: Domain Admins can't manage computers"
- Reply: Angus Chen: "RE: Domain Admins can't manage computers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
