Solved

Unable to modify users from second server in Active Directory

Posted on 2007-12-03
7
151 Views
Last Modified: 2010-04-18
I have a very basic network setup with one 2003 Server running AD and several member servers, one of which is running Exchange 2003.  Until last week I was able to use ADUC to modify and create users from the Exchange server.  Since last week I can only view properties.  It doesn't give me any choice to create users, and all user properties are greyed out.  If I try to do anything it says "you do not have permission to change the [whatever] attribute, changes will not be saved."

I am logged in as administrator, and I rebooted this server this weekend.  I have not rebooted the primary server yet.

Thanks,
Jason
0
Comment
Question by:ChiefAuto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20399938
dcdiag will be the first point to look at
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20401455
From the primary domain controller, are you able to create new user?
0
 

Author Comment

by:ChiefAuto
ID: 20403294
jay jay: I ran dcdiag /s:[domain server name] and it came up fine.  When I try dcdiag /a it says "Exchange is not a DC.  Must specify /s:....."

mcse2007: I can create new users from the primary controller just fine.

I just noticed that the exchange server doesn't show up as a domain controller in ADUC.  Shouldn't it have gone there automatically when it was installed?  It worked perfectly for 3 months.

Thanks,
Jason
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20408733
not unless your exchange server is indeed a DC...it may be that you only have the adminpak installed on that exchange box

There is no such thing as a PDC

my guess is that exchange server is just an exchange server and that the adminpak is installed and that the user you have doesnt have enough rights to modify those objects
0
 
LVL 7

Accepted Solution

by:
mcse2007 earned 250 total points
ID: 20408787
ChiefAuto,

If you are accessing your primary  DC from the Exchange server and if your exchange is not a promoted is not secondary AD and you are using an adminpak, why don't you right click the Users and Computers icon on your desktop then select "RUN AS" and put the account that has the rights to create, amend user account etc. ?
0
 

Author Comment

by:ChiefAuto
ID: 20415506
mcse2007,

It works great if I RUN AS my own account, but not as administrator.  Even domain\administrator doesn't work.  The problem I have with it is that you have to run it that way every time.  At least I was able to get done what I needed to get done this way.

Does it make any sense that I have to log on as an administrator but not 'administrator' to you?  It doesn't make much sense to me.
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20415928
The best practice when logging into member server is logon as non administrator account then use ONLY the local administrator account of the server to perform installation or troubleshooting like using the RUN AS this apply to running AD users and computers, Sites and Services etc.,

 


0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question