royshapira
asked on
"local users and groups" is disabled in "computer mng" when viewing remote servers but NOT when vieweing DCs
G'day,
More information:
all servers and the AD are 2003 ent.
2 dcs, ~20 servers.
~1200 PCs
~ 4000 users (uni campus)
when using comp. mng to view remote machines (as domain admin) :
1) I can see client XP machines and have complete control
2) same for the domain controllers (naturaly no "local users..")
3) HOWEVER I get "local users and groups" disabled (big ugly red X) for all member servers. and on right side pane there is this msg.
"unable to access the computer <computer name>. The error was: access is denied"
I suspect the GPO (but it is minimaland all security seettings are in def domain and def dom cntrlrs) but i do not want to misdirect you.
questions:
1) bug or feature (i am quite convinced i had it before)?
2) how do i solve this? perhaps some user right?
much obliged
Roy
More information:
all servers and the AD are 2003 ent.
2 dcs, ~20 servers.
~1200 PCs
~ 4000 users (uni campus)
when using comp. mng to view remote machines (as domain admin) :
1) I can see client XP machines and have complete control
2) same for the domain controllers (naturaly no "local users..")
3) HOWEVER I get "local users and groups" disabled (big ugly red X) for all member servers. and on right side pane there is this msg.
"unable to access the computer <computer name>. The error was: access is denied"
I suspect the GPO (but it is minimaland all security seettings are in def domain and def dom cntrlrs) but i do not want to misdirect you.
questions:
1) bug or feature (i am quite convinced i had it before)?
2) how do i solve this? perhaps some user right?
much obliged
Roy
ASKER
thank u james for this superswift reply.
indeed the domain admins grp is a member of all the local admin grps on all member servers.
can u provide some more info on how to audit this?
tnx
indeed the domain admins grp is a member of all the local admin grps on all member servers.
can u provide some more info on how to audit this?
tnx
ASKER
more information: The remote registery service is running on target servers - perhaps a more fine setting or user right?
royshapira
Welcome
GPO Security policies are here:
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit account logon events
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit account management
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit directory service access
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit logon events
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit object access
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit policy change
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit privilege use
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit process tracking
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit system events
I suggest you start with Audit account logon events success/failure and then Audit privilege use failure
Cheers
JamesDS
Welcome
GPO Security policies are here:
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit account logon events
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit account management
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit directory service access
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit logon events
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit object access
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit policy change
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit privilege use
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit process tracking
Computer Configuration Windows Settings\Security Settings\Local Policies\Audit Policy Audit system events
I suggest you start with Audit account logon events success/failure and then Audit privilege use failure
Cheers
JamesDS
ASKER
Hi James,
Event log collected no new data - despit my repeated attempts.
I am quit convinced this has to do with a basic difference between member servers and domain controllers (perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).
this is because from the member server i CAN open the event log on the domain controller when loged on as the domain admin but from the domain controller i can NOT do so to the member server , again as the domain admin.
Event log collected no new data - despit my repeated attempts.
I am quit convinced this has to do with a basic difference between member servers and domain controllers (perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).
this is because from the member server i CAN open the event log on the domain controller when loged on as the domain admin but from the domain controller i can NOT do so to the member server , again as the domain admin.
"when using comp. mng to view remote machines (as domain admin)"
which program do you use ?
which program do you use ?
ASKER
G'day Nadir and thank you for joining this.
To answer your q: "Computer mangment" is the tool (r-click computer icon >> manage)
I have since collected some more data:
i can also NOT remote mange the registry of affected servers is said OU.
using local sec pol tool i see all rights are set correctly.
I suspected perhaps the security option: "network access: remotely accessible network paths and subpaths" and have tried adding hkelm- no success-but its a thought..
much obliged
To answer your q: "Computer mangment" is the tool (r-click computer icon >> manage)
I have since collected some more data:
i can also NOT remote mange the registry of affected servers is said OU.
using local sec pol tool i see all rights are set correctly.
I suspected perhaps the security option: "network access: remotely accessible network paths and subpaths" and have tried adding hkelm- no success-but its a thought..
much obliged
royshapira
Is the remote registry service enabled on these servers?
Have you used the GPMC tool to work out what policy settings are being applied to the servers?
Download the GPMC from here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
Cheers
JamesDS
Is the remote registry service enabled on these servers?
Have you used the GPMC tool to work out what policy settings are being applied to the servers?
Download the GPMC from here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
Cheers
JamesDS
(perhaps in how msbs are handaled - i am not sure i understand the issues, or some missing right?).
what do you mean by msbs in the above post??
what do you mean by msbs in the above post??
ASKER
Hi,
I believe I have resolved the problem and would like to describe the solution to you, it is based on KB314837 (http://support.microsoft.com/default.aspx?kbid=314837 ).
I must say I have spent an inordinate amount of time on this one and am afraid at times I was running in all directions but the right one. What pointed me in right direction was realization that in addition to original problem I had no remote mng of registry - and investigating this proved fruitful.
...
Although this article addresses xp - it worked for me.
For reason I can not understand single security permission was missing from the key:
HKEY_LOCAL_MACHINE\SYSTEM\
That is: local service should have read permission. I figured this out by comparing the settings on my DCs which did not experience this problem.
After testing carefully I added this key to the GPO for the member servers and executed "gpupdae /force /sync" on them (requires boot) - and it works.
I am very grateful for the time u spent on this one - hope my answer will help you in future.
Roy
PS
Dear moderator - This Question should be closed and points reclaimed.
I believe I have resolved the problem and would like to describe the solution to you, it is based on KB314837 (http://support.microsoft.com/default.aspx?kbid=314837 ).
I must say I have spent an inordinate amount of time on this one and am afraid at times I was running in all directions but the right one. What pointed me in right direction was realization that in addition to original problem I had no remote mng of registry - and investigating this proved fruitful.
...
Although this article addresses xp - it worked for me.
For reason I can not understand single security permission was missing from the key:
HKEY_LOCAL_MACHINE\SYSTEM\
That is: local service should have read permission. I figured this out by comparing the settings on my DCs which did not experience this problem.
After testing carefully I added this key to the GPO for the member servers and executed "gpupdae /force /sync" on them (requires boot) - and it works.
I am very grateful for the time u spent on this one - hope my answer will help you in future.
Roy
PS
Dear moderator - This Question should be closed and points reclaimed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First check that your Domain Administrator account is a member of the local administrators account on one of your server with the problem.
Then I suggest you enable security auditing using GPOs for the servers and look for the access denied messages in the security event log to see what else might be causing the problems.
Cheers
JamesDS