Solved

"local users and groups" is disabled in "computer mng" when viewing remote servers but NOT when vieweing DCs

Posted on 2004-10-06
12
5,350 Views
Last Modified: 2013-12-04
G'day,
More information:
all servers and the AD are 2003 ent.
2 dcs, ~20 servers.
~1200 PCs
~ 4000 users (uni campus)

when using comp. mng to view remote machines (as domain admin) :
1) I can see client XP machines and have complete control
2) same for the domain controllers (naturaly no "local users..")
3) HOWEVER I get "local users and groups" disabled (big ugly red X) for all member servers. and on right side pane there is this msg.

"unable to access the computer <computer name>. The error was: access is denied"

I suspect the GPO (but it is minimaland all security seettings are in def domain and def dom cntrlrs) but i do not want to misdirect you.

questions:
1) bug or feature (i am quite convinced i had it before)?
2) how do i solve this? perhaps some user right?

much obliged
Roy


0
Comment
Question by:royshapira
12 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12237462
royshapira
First check that your Domain Administrator account is a member of the local administrators account on one of your server with the problem.

Then I suggest you enable security auditing using GPOs for the servers and look for the access denied messages in the security event log to see what else might be causing the problems.

Cheers

JamesDS
0
 

Author Comment

by:royshapira
ID: 12237501
thank u james for this superswift reply.

indeed the domain admins grp is a member of all the local admin grps on all member servers.

can u provide some more info on how to audit this?

tnx

0
 

Author Comment

by:royshapira
ID: 12237544
more information: The remote registery service is running on target servers - perhaps a more fine setting or user right?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12237548
royshapira
Welcome

GPO Security policies are here:
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit account logon events
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit account management
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit directory service access
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit logon events
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit object access
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit policy change
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit privilege use
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit process tracking
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit system events

I suggest you start with Audit account logon events success/failure and then Audit privilege use failure

Cheers

JamesDS
0
 

Author Comment

by:royshapira
ID: 12238475
Hi James,

Event log collected no new data - despit my repeated attempts.

I am quit convinced this has to do with a basic difference between member servers and domain controllers (perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).

this is because from the member server i CAN open the event log on the domain controller when loged on as the domain admin but from the domain controller i can NOT do so to the member server , again as the domain admin.

0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 8

Expert Comment

by:nader alkahtani
ID: 12243815
"when using comp. mng to view remote machines (as domain admin)"

which program do you use ?
0
 

Author Comment

by:royshapira
ID: 12246325
G'day Nadir  and thank you for joining this.

To answer your q: "Computer mangment" is the tool (r-click computer icon >> manage)

I have since collected some more data:

i can also NOT remote mange the registry of affected servers is said OU.

using local sec pol tool i see all rights are set correctly.


I suspected perhaps the security option: "network access: remotely accessible network paths and subpaths" and have tried adding hkelm- no success-but its a thought..

much obliged
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12246534
royshapira
Is the remote registry service enabled on these servers?
Have you used the GPMC tool to work out what policy settings are being applied to the servers?

Download the GPMC from here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Cheers

JamesDS
0
 
LVL 3

Expert Comment

by:onesquin
ID: 12253677
(perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).

what do you mean by msbs in the above post??
0
 

Author Comment

by:royshapira
ID: 12265257
Hi,

I believe I have resolved the problem and would like to describe the solution to you, it is based on KB314837 (http://support.microsoft.com/default.aspx?kbid=314837 ).

I must say I have spent an inordinate amount of time on this one and am afraid at times I was running in all directions but the right one. What pointed me in right direction was realization that in addition to original problem I had no remote mng of registry - and investigating this proved fruitful.
...
Although this article addresses xp - it worked for me.

For reason I can not understand single security permission was missing from the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg

That is: local service should have read permission. I figured this out by comparing the settings on my DCs which did not experience this problem.

After testing carefully I added this key to the GPO for the member servers and executed "gpupdae /force /sync" on them (requires boot) - and it works.

I am very grateful for the time u spent on this one - hope my answer will help you in future.
Roy

PS
Dear moderator - This Question should be closed and points reclaimed.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14070704
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now