I am an enterprise admin on my Server 2008 domain (albeit a small domain). When I log into my Vista Ultimate laptop, should I not have enterprise level permissions? I was trying to rename some folders and I am getting "access denied" errors. Am I missing something? If the folders were in use, which I don't believe they were, wouldn't I get a warning that they were in use?
I created my user profile in Active Directory and I am a member of domain users, domain admins, enterprise admins... Any light you can shed would be nice. Thx,
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
First i'll assume that the laptop is in fact correctly joined to the domian. And that it's not a "the laptop has no way of authenticating you against the controller" problem.
Reasons you might get access denied are...
If the file's in use (windows vista won't tell you this).
You can't rename a "Junction", a "hard link", such as "Documents and Settings" in vista.
Other than those, i can't really think of anything other than a permissions problem.
aleinss: I am currently disconnected from the domain, however, I am still logged into my domain account. When I launched the compmgmnt.msc, I do not see ANY reference to domain or enterprise admins. Shouldn't I be able to see the domain admins even though I am NOT connected to the domain?
maninblac1: I was trying to rename a local users profile folder. Is this a "junction"?
thereas: checking permissions is a good suggestion, however, I am presumably logged into the domain laptop as an enterprise admin. I should be "omnipotent" shouldn't I?
I would assume that the user's profile folder is essentially a junction, or at least....potected in the same way a junction would be. Renaming a profile folder would mess alot of things up. The only way to do the acheive the change you would desire is to be logged in as "SYSTEM" which, from all i know isn't possible to do in vista.
That being said, there's nothing a user should need to be do as SYSTEM ever. My guess is that the folder you're attempting to rename is a protected system folder.
maninblac1: I would agree that the profile folder is protected, however, before I found the solution to the issue that was propmting me to rename the user profile folder, I was able to rename other profile folders, just not one specifically. I think the core of the issue is what aleinss is getting at, which is that the domain user groups are not propagating down to the laptop (probably dude to user error). I am going to go down this road to see where it leads. Thanks for your input.
Just for reference, Enterprise Admins is not an automatic member of the Domain Admins group, so you don't get God axs to everything. However, you said you're a member of Domain Admins anyway, so you should have God axs.
It's possible that your user a/c has been denied axs to the particular folder in NTFS perms.
OK... So here's what I did. I logged into the domain as myself (domain and enterprise admin). Since I had shut the DNS server down earlier (I'm still in the testing phase), I went into my network connections, and tried to hard code my DNS server IP (after the server was started, of course) and I was denied access. I had to log in as local admin, point to my DNS server, then log in as me. I went into the user manangemnt console and discovered I did not have rights to make any changes in there... SO.... I logged back in as local admin, browsed to the server, picked myself from the list of users, and added myself to the admin group on the local machine. I logged back in, and now I can see that my domain accnt is a local admin.
I guess this is the REAL question:
When I log into the domain for the first time from my laptop or workstation, should all the permissions that I have on the domain apply, or propagate down to the laptop? And if they do not, why?
By default, when you join a PC to a domain, it adds Domain Admins to the local Administrators group of the device. Sounds like that didn't happen in this case.
If it's not doing this, you could use a GPO to add them that way via a VBScript file:
On Error Resume Next
Set Objgroup = GetObject("WinNT://./Admin
Set Objuser = GetObject("WinNT://YourDom
objGroup.Add(objuser.ADsPa
I rechecked my group membership. Turns out I was NOT a member of the domain admins group this whole time. My apologies for this oversight. What's the purpose of the Enterprise Admin? Shouldn't the Enterprise admin "trump" all other admins?
I now see the Domain Admins group. I guess the real issue was that I was not a member of the Domain Admins so the group was not getting created. I was under the impression that All groups would propagate to the laptop. Rookie error.
Thank you for all your time and help.
For domain stuff, yes. You can only do forest trusts as an EA and SA for Schema changes. If I remove Domain Admins from local administrators group, I can block you as an Enterprise/Domain Administrator from connecting to my PC.
I would have thought that Enterprise Adminstators would have been included in Domain Admins, but I guess not.
I imagine that (purely speculating here), as people don't need to run as an EA/SA often, then they're considered to be more like service accounts than regular user accounts. The security principle of DA is almost synonymous with the job role of sys admin, which is quite tangible. It's obvious that a local sys admin should want to play wiht the registry and network of a computer in his own location. Yet he wouldn't want a sys admin from another office playing with his users' computers (which he could do if the EA was an automatic member of the DA). That my 2 cents.
BTW, you should get familiar with the runas command and the common .cpl & .msc files. e.g.
'runas /u:clientpc1\administrator
'runas /u:clientpc1\administrator
Business Accounts
Answer for Membership
by: theras2000Posted on 2009-06-24 at 15:56:24ID: 24706691
Check the NTFS perms on the actual folder/s and see which groups have rights. Trace the membership back and double-check that you're part of those groups (or groups of groups etc). Are you accessing these folders via a UNC or just on the local drive? Also, just try logging on as a local Administrator account and see if you can modify the folders. If not, there may be something corrupt.