Weird security problem in my WIn2K domain

From: achen (achen2002_at_yahoo.com)
Date: 03/24/05

  • Next message: Andy Fish: "master browser messages in evenlog on firewalled machine" 
    Date: 23 Mar 2005 22:28:30 -0800

    There are three domains in our forest and I'll call them domain A (the
    root of forest), B and C here. For some reason I am having some bizard
    security problem in both domain B and C, here are some descriptions:

    When I had to modify the member of local security group (Administrators
    / Power Users) on workstations, what I always do is to open "Computer
    Management" from my own computer and connect to the destination
    workstation, then do the change I want to do. There was never a problem
    in the last 2 years since out Win2K forest was created. However
    recently I am getting error about access denied, the message looks like
    this:

    "The following error occured while attempting to save properties of
    group Administrators on computer XXX: Access is Denied"

    Of course my account is a member of Enterprise Admins and also Domain
    Admins of each domains, so the assumption that "My account does not
    have permission to make that change" has been eliminated.

    After failing to do this simple task from my own workstations, I
    checked the member of local "Administrators" to make sure that "Domain
    Admins" is still there, and it is there. Then I went to the DC of each
    domain and tried to do it from there (logging on as domain
    Administrator account) and still getting the same error. However if I
    visit the workstation and log on as domain administrator to it, I have
    no problem.

    This is happening to *ALL* workstations (Win2K/ XP) under domain B and
    C, and it happens all in a sudden, therefore I have eliminated the
    possibility that it is about security patch / service pack or something
    like that.

    All services running on these two domains are working fine, there is no
    event log about this from the server, although each failure was logged
    on the workstations, that does not help me to troubleshoot at all.

  • Next message: Andy Fish: "master browser messages in evenlog on firewalled machine"

    Relevant Pages

    • Weird problem in my Win2K Active Directory
      ... There are three domains in our forest and I'll call them domain A (the ... When I had to modify the member of local security group (Administrators ... Of course my account is a member of Enterprise Admins and also Domain ... After failing to do this simple task from my own workstations, ...
      (microsoft.public.windows.server.active_directory)
    • Re: 2003 Domain Admins in NT4 Domain
      ... it seems that you only add the 2003\Domain Admins ... admin rights on a workstation in the NT4 domain. ... After adding these two groups into NT4's workstation's local Administrators ... >workstations are actually using a different DNS server. ...
      (microsoft.public.windows.server.migration)
    • Re: Weird security problem in my WIn2K domain
      ... > group Administrators on computer XXX: ... > Of course my account is a member of Enterprise Admins and also Domain ... > After failing to do this simple task from my own workstations, ...
      (microsoft.public.windows.server.security)
    • Re: Weird problem in my Win2K Active Directory
      ... MVP for Windows Server - Software Distribution ... > group Administrators on computer XXX: ... > Of course my account is a member of Enterprise Admins and also Domain ... > After failing to do this simple task from my own workstations, ...
      (microsoft.public.windows.server.active_directory)
    • Re: Many Installations of MSSQLSERVER.
      ... > target workstations by putting the workstations into an OU and/or ... > If these people's accounts are in the local Administrators or Power Users ... > you can install MSDE on workstation, or if you install the SQL server CD, ...
      (microsoft.public.win2000.windows_update)