Solved

Unable to modify users from second server in Active Directory

Posted on 2007-12-03
7
152 Views
Last Modified: 2010-04-18
I have a very basic network setup with one 2003 Server running AD and several member servers, one of which is running Exchange 2003.  Until last week I was able to use ADUC to modify and create users from the Exchange server.  Since last week I can only view properties.  It doesn't give me any choice to create users, and all user properties are greyed out.  If I try to do anything it says "you do not have permission to change the [whatever] attribute, changes will not be saved."

I am logged in as administrator, and I rebooted this server this weekend.  I have not rebooted the primary server yet.

Thanks,
Jason
0
Comment
Question by:ChiefAuto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20399938
dcdiag will be the first point to look at
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20401455
From the primary domain controller, are you able to create new user?
0
 

Author Comment

by:ChiefAuto
ID: 20403294
jay jay: I ran dcdiag /s:[domain server name] and it came up fine.  When I try dcdiag /a it says "Exchange is not a DC.  Must specify /s:....."

mcse2007: I can create new users from the primary controller just fine.

I just noticed that the exchange server doesn't show up as a domain controller in ADUC.  Shouldn't it have gone there automatically when it was installed?  It worked perfectly for 3 months.

Thanks,
Jason
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20408733
not unless your exchange server is indeed a DC...it may be that you only have the adminpak installed on that exchange box

There is no such thing as a PDC

my guess is that exchange server is just an exchange server and that the adminpak is installed and that the user you have doesnt have enough rights to modify those objects
0
 
LVL 7

Accepted Solution

by:
mcse2007 earned 250 total points
ID: 20408787
ChiefAuto,

If you are accessing your primary  DC from the Exchange server and if your exchange is not a promoted is not secondary AD and you are using an adminpak, why don't you right click the Users and Computers icon on your desktop then select "RUN AS" and put the account that has the rights to create, amend user account etc. ?
0
 

Author Comment

by:ChiefAuto
ID: 20415506
mcse2007,

It works great if I RUN AS my own account, but not as administrator.  Even domain\administrator doesn't work.  The problem I have with it is that you have to run it that way every time.  At least I was able to get done what I needed to get done this way.

Does it make any sense that I have to log on as an administrator but not 'administrator' to you?  It doesn't make much sense to me.
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20415928
The best practice when logging into member server is logon as non administrator account then use ONLY the local administrator account of the server to perform installation or troubleshooting like using the RUN AS this apply to running AD users and computers, Sites and Services etc.,

 


0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question