Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unable to modify users from second server in Active Directory

Posted on 2007-12-03
7
Medium Priority
?
155 Views
Last Modified: 2010-04-18
I have a very basic network setup with one 2003 Server running AD and several member servers, one of which is running Exchange 2003.  Until last week I was able to use ADUC to modify and create users from the Exchange server.  Since last week I can only view properties.  It doesn't give me any choice to create users, and all user properties are greyed out.  If I try to do anything it says "you do not have permission to change the [whatever] attribute, changes will not be saved."

I am logged in as administrator, and I rebooted this server this weekend.  I have not rebooted the primary server yet.

Thanks,
Jason
0
Comment
Question by:ChiefAuto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20399938
dcdiag will be the first point to look at
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20401455
From the primary domain controller, are you able to create new user?
0
 

Author Comment

by:ChiefAuto
ID: 20403294
jay jay: I ran dcdiag /s:[domain server name] and it came up fine.  When I try dcdiag /a it says "Exchange is not a DC.  Must specify /s:....."

mcse2007: I can create new users from the primary controller just fine.

I just noticed that the exchange server doesn't show up as a domain controller in ADUC.  Shouldn't it have gone there automatically when it was installed?  It worked perfectly for 3 months.

Thanks,
Jason
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20408733
not unless your exchange server is indeed a DC...it may be that you only have the adminpak installed on that exchange box

There is no such thing as a PDC

my guess is that exchange server is just an exchange server and that the adminpak is installed and that the user you have doesnt have enough rights to modify those objects
0
 
LVL 7

Accepted Solution

by:
mcse2007 earned 1000 total points
ID: 20408787
ChiefAuto,

If you are accessing your primary  DC from the Exchange server and if your exchange is not a promoted is not secondary AD and you are using an adminpak, why don't you right click the Users and Computers icon on your desktop then select "RUN AS" and put the account that has the rights to create, amend user account etc. ?
0
 

Author Comment

by:ChiefAuto
ID: 20415506
mcse2007,

It works great if I RUN AS my own account, but not as administrator.  Even domain\administrator doesn't work.  The problem I have with it is that you have to run it that way every time.  At least I was able to get done what I needed to get done this way.

Does it make any sense that I have to log on as an administrator but not 'administrator' to you?  It doesn't make much sense to me.
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20415928
The best practice when logging into member server is logon as non administrator account then use ONLY the local administrator account of the server to perform installation or troubleshooting like using the RUN AS this apply to running AD users and computers, Sites and Services etc.,

 


0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question