?
Solved

Unable to modify users from second server in Active Directory

Posted on 2007-12-03
7
Medium Priority
?
154 Views
Last Modified: 2010-04-18
I have a very basic network setup with one 2003 Server running AD and several member servers, one of which is running Exchange 2003.  Until last week I was able to use ADUC to modify and create users from the Exchange server.  Since last week I can only view properties.  It doesn't give me any choice to create users, and all user properties are greyed out.  If I try to do anything it says "you do not have permission to change the [whatever] attribute, changes will not be saved."

I am logged in as administrator, and I rebooted this server this weekend.  I have not rebooted the primary server yet.

Thanks,
Jason
0
Comment
Question by:ChiefAuto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20399938
dcdiag will be the first point to look at
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20401455
From the primary domain controller, are you able to create new user?
0
 

Author Comment

by:ChiefAuto
ID: 20403294
jay jay: I ran dcdiag /s:[domain server name] and it came up fine.  When I try dcdiag /a it says "Exchange is not a DC.  Must specify /s:....."

mcse2007: I can create new users from the primary controller just fine.

I just noticed that the exchange server doesn't show up as a domain controller in ADUC.  Shouldn't it have gone there automatically when it was installed?  It worked perfectly for 3 months.

Thanks,
Jason
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20408733
not unless your exchange server is indeed a DC...it may be that you only have the adminpak installed on that exchange box

There is no such thing as a PDC

my guess is that exchange server is just an exchange server and that the adminpak is installed and that the user you have doesnt have enough rights to modify those objects
0
 
LVL 7

Accepted Solution

by:
mcse2007 earned 1000 total points
ID: 20408787
ChiefAuto,

If you are accessing your primary  DC from the Exchange server and if your exchange is not a promoted is not secondary AD and you are using an adminpak, why don't you right click the Users and Computers icon on your desktop then select "RUN AS" and put the account that has the rights to create, amend user account etc. ?
0
 

Author Comment

by:ChiefAuto
ID: 20415506
mcse2007,

It works great if I RUN AS my own account, but not as administrator.  Even domain\administrator doesn't work.  The problem I have with it is that you have to run it that way every time.  At least I was able to get done what I needed to get done this way.

Does it make any sense that I have to log on as an administrator but not 'administrator' to you?  It doesn't make much sense to me.
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20415928
The best practice when logging into member server is logon as non administrator account then use ONLY the local administrator account of the server to perform installation or troubleshooting like using the RUN AS this apply to running AD users and computers, Sites and Services etc.,

 


0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question