"local users and groups" is disabled in "computer mng" when viewing remote servers but NOT when vieweing DCs

G'day,
More information:
all servers and the AD are 2003 ent.
2 dcs, ~20 servers.
~1200 PCs
~ 4000 users (uni campus)

when using comp. mng to view remote machines (as domain admin) :
1) I can see client XP machines and have complete control
2) same for the domain controllers (naturaly no "local users..")
3) HOWEVER I get "local users and groups" disabled (big ugly red X) for all member servers. and on right side pane there is this msg.

"unable to access the computer <computer name>. The error was: access is denied"

I suspect the GPO (but it is minimaland all security seettings are in def domain and def dom cntrlrs) but i do not want to misdirect you.

questions:
1) bug or feature (i am quite convinced i had it before)?
2) how do i solve this? perhaps some user right?

much obliged
Roy


royshapiraAsked:
Who is Participating?
 
moduloConnect With a Mentor Commented:
PAQed with points refunded (500)

modulo
Community Support Moderator
0
 
JamesDSCommented:
royshapira
First check that your Domain Administrator account is a member of the local administrators account on one of your server with the problem.

Then I suggest you enable security auditing using GPOs for the servers and look for the access denied messages in the security event log to see what else might be causing the problems.

Cheers

JamesDS
0
 
royshapiraAuthor Commented:
thank u james for this superswift reply.

indeed the domain admins grp is a member of all the local admin grps on all member servers.

can u provide some more info on how to audit this?

tnx

0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
royshapiraAuthor Commented:
more information: The remote registery service is running on target servers - perhaps a more fine setting or user right?
0
 
JamesDSCommented:
royshapira
Welcome

GPO Security policies are here:
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit account logon events
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit account management
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit directory service access
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit logon events
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit object access
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit policy change
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit privilege use
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit process tracking
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit system events

I suggest you start with Audit account logon events success/failure and then Audit privilege use failure

Cheers

JamesDS
0
 
royshapiraAuthor Commented:
Hi James,

Event log collected no new data - despit my repeated attempts.

I am quit convinced this has to do with a basic difference between member servers and domain controllers (perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).

this is because from the member server i CAN open the event log on the domain controller when loged on as the domain admin but from the domain controller i can NOT do so to the member server , again as the domain admin.

0
 
nader alkahtaniNetwork EngineerCommented:
"when using comp. mng to view remote machines (as domain admin)"

which program do you use ?
0
 
royshapiraAuthor Commented:
G'day Nadir  and thank you for joining this.

To answer your q: "Computer mangment" is the tool (r-click computer icon >> manage)

I have since collected some more data:

i can also NOT remote mange the registry of affected servers is said OU.

using local sec pol tool i see all rights are set correctly.


I suspected perhaps the security option: "network access: remotely accessible network paths and subpaths" and have tried adding hkelm- no success-but its a thought..

much obliged
0
 
JamesDSCommented:
royshapira
Is the remote registry service enabled on these servers?
Have you used the GPMC tool to work out what policy settings are being applied to the servers?

Download the GPMC from here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Cheers

JamesDS
0
 
onesquinCommented:
(perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).

what do you mean by msbs in the above post??
0
 
royshapiraAuthor Commented:
Hi,

I believe I have resolved the problem and would like to describe the solution to you, it is based on KB314837 (http://support.microsoft.com/default.aspx?kbid=314837 ).

I must say I have spent an inordinate amount of time on this one and am afraid at times I was running in all directions but the right one. What pointed me in right direction was realization that in addition to original problem I had no remote mng of registry - and investigating this proved fruitful.
...
Although this article addresses xp - it worked for me.

For reason I can not understand single security permission was missing from the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg

That is: local service should have read permission. I figured this out by comparing the settings on my DCs which did not experience this problem.

After testing carefully I added this key to the GPO for the member servers and executed "gpupdae /force /sync" on them (requires boot) - and it works.

I am very grateful for the time u spent on this one - hope my answer will help you in future.
Roy

PS
Dear moderator - This Question should be closed and points reclaimed.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.