Solved

"local users and groups" is disabled in "computer mng" when viewing remote servers but NOT when vieweing DCs

Posted on 2004-10-06
12
5,414 Views
Last Modified: 2013-12-04
G'day,
More information:
all servers and the AD are 2003 ent.
2 dcs, ~20 servers.
~1200 PCs
~ 4000 users (uni campus)

when using comp. mng to view remote machines (as domain admin) :
1) I can see client XP machines and have complete control
2) same for the domain controllers (naturaly no "local users..")
3) HOWEVER I get "local users and groups" disabled (big ugly red X) for all member servers. and on right side pane there is this msg.

"unable to access the computer <computer name>. The error was: access is denied"

I suspect the GPO (but it is minimaland all security seettings are in def domain and def dom cntrlrs) but i do not want to misdirect you.

questions:
1) bug or feature (i am quite convinced i had it before)?
2) how do i solve this? perhaps some user right?

much obliged
Roy


0
Comment
Question by:royshapira
12 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12237462
royshapira
First check that your Domain Administrator account is a member of the local administrators account on one of your server with the problem.

Then I suggest you enable security auditing using GPOs for the servers and look for the access denied messages in the security event log to see what else might be causing the problems.

Cheers

JamesDS
0
 

Author Comment

by:royshapira
ID: 12237501
thank u james for this superswift reply.

indeed the domain admins grp is a member of all the local admin grps on all member servers.

can u provide some more info on how to audit this?

tnx

0
 

Author Comment

by:royshapira
ID: 12237544
more information: The remote registery service is running on target servers - perhaps a more fine setting or user right?
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 16

Expert Comment

by:JamesDS
ID: 12237548
royshapira
Welcome

GPO Security policies are here:
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit account logon events
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit account management
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit directory service access
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit logon events
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit object access
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit policy change
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit privilege use
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit process tracking
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit system events

I suggest you start with Audit account logon events success/failure and then Audit privilege use failure

Cheers

JamesDS
0
 

Author Comment

by:royshapira
ID: 12238475
Hi James,

Event log collected no new data - despit my repeated attempts.

I am quit convinced this has to do with a basic difference between member servers and domain controllers (perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).

this is because from the member server i CAN open the event log on the domain controller when loged on as the domain admin but from the domain controller i can NOT do so to the member server , again as the domain admin.

0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 12243815
"when using comp. mng to view remote machines (as domain admin)"

which program do you use ?
0
 

Author Comment

by:royshapira
ID: 12246325
G'day Nadir  and thank you for joining this.

To answer your q: "Computer mangment" is the tool (r-click computer icon >> manage)

I have since collected some more data:

i can also NOT remote mange the registry of affected servers is said OU.

using local sec pol tool i see all rights are set correctly.


I suspected perhaps the security option: "network access: remotely accessible network paths and subpaths" and have tried adding hkelm- no success-but its a thought..

much obliged
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12246534
royshapira
Is the remote registry service enabled on these servers?
Have you used the GPMC tool to work out what policy settings are being applied to the servers?

Download the GPMC from here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Cheers

JamesDS
0
 
LVL 3

Expert Comment

by:onesquin
ID: 12253677
(perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).

what do you mean by msbs in the above post??
0
 

Author Comment

by:royshapira
ID: 12265257
Hi,

I believe I have resolved the problem and would like to describe the solution to you, it is based on KB314837 (http://support.microsoft.com/default.aspx?kbid=314837 ).

I must say I have spent an inordinate amount of time on this one and am afraid at times I was running in all directions but the right one. What pointed me in right direction was realization that in addition to original problem I had no remote mng of registry - and investigating this proved fruitful.
...
Although this article addresses xp - it worked for me.

For reason I can not understand single security permission was missing from the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg

That is: local service should have read permission. I figured this out by comparing the settings on my DCs which did not experience this problem.

After testing carefully I added this key to the GPO for the member servers and executed "gpupdae /force /sync" on them (requires boot) - and it works.

I am very grateful for the time u spent on this one - hope my answer will help you in future.
Roy

PS
Dear moderator - This Question should be closed and points reclaimed.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14070704
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question