Solved

"local users and groups" is disabled in "computer mng" when viewing remote servers but NOT when vieweing DCs

Posted on 2004-10-06
12
5,308 Views
Last Modified: 2013-12-04
G'day,
More information:
all servers and the AD are 2003 ent.
2 dcs, ~20 servers.
~1200 PCs
~ 4000 users (uni campus)

when using comp. mng to view remote machines (as domain admin) :
1) I can see client XP machines and have complete control
2) same for the domain controllers (naturaly no "local users..")
3) HOWEVER I get "local users and groups" disabled (big ugly red X) for all member servers. and on right side pane there is this msg.

"unable to access the computer <computer name>. The error was: access is denied"

I suspect the GPO (but it is minimaland all security seettings are in def domain and def dom cntrlrs) but i do not want to misdirect you.

questions:
1) bug or feature (i am quite convinced i had it before)?
2) how do i solve this? perhaps some user right?

much obliged
Roy


0
Comment
Question by:royshapira
12 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12237462
royshapira
First check that your Domain Administrator account is a member of the local administrators account on one of your server with the problem.

Then I suggest you enable security auditing using GPOs for the servers and look for the access denied messages in the security event log to see what else might be causing the problems.

Cheers

JamesDS
0
 

Author Comment

by:royshapira
ID: 12237501
thank u james for this superswift reply.

indeed the domain admins grp is a member of all the local admin grps on all member servers.

can u provide some more info on how to audit this?

tnx

0
 

Author Comment

by:royshapira
ID: 12237544
more information: The remote registery service is running on target servers - perhaps a more fine setting or user right?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12237548
royshapira
Welcome

GPO Security policies are here:
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit account logon events
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit account management
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit directory service access
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit logon events
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit object access
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit policy change
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit privilege use
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit process tracking
Computer Configuration    Windows Settings\Security Settings\Local Policies\Audit Policy    Audit system events

I suggest you start with Audit account logon events success/failure and then Audit privilege use failure

Cheers

JamesDS
0
 

Author Comment

by:royshapira
ID: 12238475
Hi James,

Event log collected no new data - despit my repeated attempts.

I am quit convinced this has to do with a basic difference between member servers and domain controllers (perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).

this is because from the member server i CAN open the event log on the domain controller when loged on as the domain admin but from the domain controller i can NOT do so to the member server , again as the domain admin.

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 8

Expert Comment

by:nader alkahtani
ID: 12243815
"when using comp. mng to view remote machines (as domain admin)"

which program do you use ?
0
 

Author Comment

by:royshapira
ID: 12246325
G'day Nadir  and thank you for joining this.

To answer your q: "Computer mangment" is the tool (r-click computer icon >> manage)

I have since collected some more data:

i can also NOT remote mange the registry of affected servers is said OU.

using local sec pol tool i see all rights are set correctly.


I suspected perhaps the security option: "network access: remotely accessible network paths and subpaths" and have tried adding hkelm- no success-but its a thought..

much obliged
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12246534
royshapira
Is the remote registry service enabled on these servers?
Have you used the GPMC tool to work out what policy settings are being applied to the servers?

Download the GPMC from here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Cheers

JamesDS
0
 
LVL 3

Expert Comment

by:onesquin
ID: 12253677
(perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).

what do you mean by msbs in the above post??
0
 

Author Comment

by:royshapira
ID: 12265257
Hi,

I believe I have resolved the problem and would like to describe the solution to you, it is based on KB314837 (http://support.microsoft.com/default.aspx?kbid=314837 ).

I must say I have spent an inordinate amount of time on this one and am afraid at times I was running in all directions but the right one. What pointed me in right direction was realization that in addition to original problem I had no remote mng of registry - and investigating this proved fruitful.
...
Although this article addresses xp - it worked for me.

For reason I can not understand single security permission was missing from the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg

That is: local service should have read permission. I figured this out by comparing the settings on my DCs which did not experience this problem.

After testing carefully I added this key to the GPO for the member servers and executed "gpupdae /force /sync" on them (requires boot) - and it works.

I am very grateful for the time u spent on this one - hope my answer will help you in future.
Roy

PS
Dear moderator - This Question should be closed and points reclaimed.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14070704
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now