Re: Weird security problem in my WIn2K domain

From: Arek Iskra [MVP] (NoSpam_arek_at_arekiskra.com)
Date: 03/24/05 

Date: Thu, 24 Mar 2005 20:36:24 +0800

I have replied in .active_directory group where you have also posted.

I'd check if the trusts between domains are still working as expected. 

-- 
Arek Iskra
MVP for Windows Server - Software Distribution
"achen" <achen2002@yahoo.com> wrote in message 
news:1111645710.182912.14680@f14g2000cwb.googlegroups.com...
> There are three domains in our forest and I'll call them domain A (the
> root of forest), B and C here. For some reason I am having some bizard
> security problem in both domain B and C, here are some descriptions:
>
> When I had to modify the member of local security group (Administrators
> / Power Users) on workstations, what I always do is to open "Computer
> Management" from my own computer and connect to the destination
> workstation, then do the change I want to do. There was never a problem
> in the last 2 years since out Win2K forest was created. However
> recently I am getting error about access denied, the message looks like
> this:
>
> "The following error occured while attempting to save properties of
> group Administrators on computer XXX: Access is Denied"
>
> Of course my account is a member of Enterprise Admins and also Domain
> Admins of each domains, so the assumption that "My account does not
> have permission to make that change" has been eliminated.
>
> After failing to do this simple task from my own workstations, I
> checked the member of local "Administrators" to make sure that "Domain
> Admins" is still there, and it is there. Then I went to the DC of each
> domain and tried to do it from there (logging on as domain
> Administrator account) and still getting the same error. However if I
> visit the workstation and log on as domain administrator to it, I have
> no problem.
>
> This is happening to *ALL* workstations (Win2K/ XP) under domain B and
> C, and it happens all in a sudden, therefore I have eliminated the
> possibility that it is about security patch / service pack or something
> like that.
>
> All services running on these two domains are working fine, there is no
> event log about this from the server, although each failure was logged
> on the workstations, that does not help me to troubleshoot at all.
>

Relevant Pages

  • Re: Weird security problem in my WIn2K domain
    ... Keep in mind that enterprise admins group has no administrative powers on ... Another thing to try is to create a new account ... add that account to the local administrators ... enable auditing of account logon events in Domain Controller Security Policy ...
    (microsoft.public.windows.server.security)
  • Re: Add Domain Admin to local XP Admin group
    ... If a user in someOtherDomain is required to be an admin on workstations in thisDomain, I'd create a "Domain Local" Group in thisDomain and add the user/s from someOtherDomain to the group and assign the Domain Local Group to the resource in question. ... I'd also make sure this account is not an EA account. ... Most orgs define some way of managing local admin creds on Wks: from having the same username and passwords on all workstations to having some automated process to retrieve and change the admin passwords.. ... For when the machine is on the network, your delegated admins creds will suffice. ...
    (microsoft.public.windows.server.active_directory)
  • Re: 2003 Domain Admins in NT4 Domain
    ... it seems that you only add the 2003\Domain Admins ... admin rights on a workstation in the NT4 domain. ... After adding these two groups into NT4's workstation's local Administrators ... >workstations are actually using a different DNS server. ...
    (microsoft.public.windows.server.migration)
  • Re: Super Admin Account
    ... "Super Admin" account? ... Enterprise Admins ... This group is automatically added to the Administrators group in every ... This group has complete control over all domain controllers and all ...
    (microsoft.public.windows.server.active_directory)
  • Re: Is complete access in a win 2003 domain a possibility?
    ... other group, like Domain Admins, that account will have ... is an Administrators member that does not mean that they ... in Domain Admins; ... Setting via AdsiEdit permissions on AD objects may not ...
    (microsoft.public.security)