Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Error accessing remote computer system properties via compmgmt.msc as Administrator.

Posted on 2008-06-26
13
Medium Priority
?
1,367 Views
Last Modified: 2012-05-05
I have a domain controller called corp-dc-01, and a mail server called corp-mx-01. When I log in to corp-dc-01 as administrator, go to computer management, connect to corp-mx-01, and try and display the system properties (by right clicking Computer Management and going to Properties), I get an error: "Win32: Access Denied"

I copied the administrator account to a test account in the same OU, and can successfully view the system properties from the test account - so it seems that no Group Policies are blocking that access.

What steps can I take to help get to the root cause of the Administrator account not having access to the mx system properties remotely? It's also affecting about 30 workstations, so I'm hoping that I can resolve it fairly easily once we come up with a resolution.
0
Comment
Question by:InterWorks
  • 7
  • 4
  • 2
13 Comments
 
LVL 8

Expert Comment

by:pzozulka
ID: 21876891
In command prompt: SystemInfo /S computername /U Domain\Username /P password

Thanks to:

http://www.experts-exchange.com/Hardware/Misc/Q_23518659.html
0
 
LVL 1

Author Comment

by:InterWorks
ID: 21876996
Using the command line tool allows me to view the information. However, I'm still concerned about not being able to do that via Computer Management, and getting the Win32 error. Any ideas on resolving that?
0
 
LVL 8

Expert Comment

by:pzozulka
ID: 21877058
None, I have the same problem except for me, I can access all regular domain computers. But, once I need to access a server or any other Admin machine that requires an Admin login, you no longer can. The management console, unfortunately, does not have the option to ask you for a username and password. The reason why command line works is because it verifies your identity. Computer management does not.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 4

Expert Comment

by:antioed
ID: 21877170
Might be worth checking this article out; you may have seen it already:

http://support.microsoft.com/kb/225035
_____________________________________

Starting an MMC in Administrative Context Using a Saved .msc File
The example below uses an existing .MSC file, COMPMGMT.MSC. However, any MSC file can be stated in a different security context using the method illustrated below.

While logged on as a normal user:
1.      Use Windows Explorer to copy the file COMPMGMT.MSC to your desktop. COMPMGMT.MSC can be found in the \%WINDIR%\SYSTEM32 directory. By default, this is the \WINNT\SYSTEM32 directory, located on the boot partition.
2.      Highlight the compmgmt icon on your desktop by using a single left-click.
3.      Hold down the Shift key and right-click on the compmgmt icon on the desktop.
4.      Select the Run as... command. You will be prompted with the "Run program as other user" dialog box.
5.      Type the name and password for the administrator account in the appropriate fields. Click OK.
A new MMC console will now appear with the Computer Management snap-in loaded. This snap-in is now running in the administrative context. In a similar fashion, a system administrator can create custom Microsoft Management Consoles containing frequently used administrative snap-ins and run them in administrative context using secondary logon.
0
 
LVL 1

Author Comment

by:InterWorks
ID: 21877910
Copied compmgmt.msc to desktop and ran as domain admin. Was still given access denied errors. Tried this as domain admin via running with current credentials, and running with specified credentials. I tried both checked and unchecked restricted access.

I then ran as the test account (which was a copied administrator) and was allowed access. I really think that there is a setting on the mx server which is denying the user DOMAIN\Administrator access to this information.

Any more ideas?
0
 
LVL 4

Expert Comment

by:antioed
ID: 21878294
Here we go:  http://www.pcreview.co.uk/forums/thread-1699527.php

DCOM must be enabled and rights configured properly...all covered in the link.
0
 
LVL 1

Author Comment

by:InterWorks
ID: 21878766
I've tried verifying the settings in WBEM/DCOM and things look just fine in there. I've been trough a couple of MS KB articles with details on ensuring the settings were correct.
0
 
LVL 4

Expert Comment

by:antioed
ID: 21878920
Only thing I can think of beyond those requirements being met would be an explicit deny on needed rights for that DA account or the machine's security policy with regard  to some aspect of those required permissions/services.  Good luck!
0
 
LVL 1

Author Comment

by:InterWorks
ID: 21883722
Any more ideas on this? I can successfully remotely view system properties of the specific server if I run compmgmt as a copied account of Administrator (test), but not if I am actually Administrator.

Unfortunately, I wouldn't even know where to look to check local security policies that would affect this.
0
 
LVL 4

Expert Comment

by:antioed
ID: 21885969
Domain Controllers get their security policy from a GPO...this link discusses that a bit...maybe if you poke around that DC GPO you can find some security setting related to the issue you are working on:  http://www.techexams.net/forums/viewtopic.php?p=183519

...sure sounds like that Administrator account is explicitly restricted from this operation (which may be by design) - I think you should see something about that in the DC GPO if that is the case.  Perhaps another expert has some specific insight on why the Administrator account would be specifically not allowed, by default, to perform this sort of function remotely to a DC.  Either way, at least it works with *some* account!
0
 
LVL 1

Author Comment

by:InterWorks
ID: 21999330
I wasn't able to find anything using RSOP to indicate that any access should be denied for any reason based off of the GPO. Any other ideas?
0
 
LVL 1

Author Comment

by:InterWorks
ID: 22073789
No further ideas as of right now. I'm calling Dell up to see if one of their awesome NOS analysts can work on it with me. If we figure this out, I'll post it.
0
 
LVL 1

Accepted Solution

by:
InterWorks earned 0 total points
ID: 22618381
I found this to be an issue with one specific server in the organization - it may be a corrupt profile or bad permissions somewhere. We simply used another server as a workaround.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question