Solved

Error accessing remote computer system properties via compmgmt.msc as Administrator.

Posted on 2008-06-26
13
1,292 Views
Last Modified: 2012-05-05
I have a domain controller called corp-dc-01, and a mail server called corp-mx-01. When I log in to corp-dc-01 as administrator, go to computer management, connect to corp-mx-01, and try and display the system properties (by right clicking Computer Management and going to Properties), I get an error: "Win32: Access Denied"

I copied the administrator account to a test account in the same OU, and can successfully view the system properties from the test account - so it seems that no Group Policies are blocking that access.

What steps can I take to help get to the root cause of the Administrator account not having access to the mx system properties remotely? It's also affecting about 30 workstations, so I'm hoping that I can resolve it fairly easily once we come up with a resolution.
0
Comment
Question by:InterWorks
  • 7
  • 4
  • 2
13 Comments
 
LVL 8

Expert Comment

by:pzozulka
ID: 21876891
In command prompt: SystemInfo /S computername /U Domain\Username /P password

Thanks to:

http://www.experts-exchange.com/Hardware/Misc/Q_23518659.html
0
 
LVL 1

Author Comment

by:InterWorks
ID: 21876996
Using the command line tool allows me to view the information. However, I'm still concerned about not being able to do that via Computer Management, and getting the Win32 error. Any ideas on resolving that?
0
 
LVL 8

Expert Comment

by:pzozulka
ID: 21877058
None, I have the same problem except for me, I can access all regular domain computers. But, once I need to access a server or any other Admin machine that requires an Admin login, you no longer can. The management console, unfortunately, does not have the option to ask you for a username and password. The reason why command line works is because it verifies your identity. Computer management does not.
0
 
LVL 4

Expert Comment

by:antioed
ID: 21877170
Might be worth checking this article out; you may have seen it already:

http://support.microsoft.com/kb/225035
_____________________________________

Starting an MMC in Administrative Context Using a Saved .msc File
The example below uses an existing .MSC file, COMPMGMT.MSC. However, any MSC file can be stated in a different security context using the method illustrated below.

While logged on as a normal user:
1.      Use Windows Explorer to copy the file COMPMGMT.MSC to your desktop. COMPMGMT.MSC can be found in the \%WINDIR%\SYSTEM32 directory. By default, this is the \WINNT\SYSTEM32 directory, located on the boot partition.
2.      Highlight the compmgmt icon on your desktop by using a single left-click.
3.      Hold down the Shift key and right-click on the compmgmt icon on the desktop.
4.      Select the Run as... command. You will be prompted with the "Run program as other user" dialog box.
5.      Type the name and password for the administrator account in the appropriate fields. Click OK.
A new MMC console will now appear with the Computer Management snap-in loaded. This snap-in is now running in the administrative context. In a similar fashion, a system administrator can create custom Microsoft Management Consoles containing frequently used administrative snap-ins and run them in administrative context using secondary logon.
0
 
LVL 1

Author Comment

by:InterWorks
ID: 21877910
Copied compmgmt.msc to desktop and ran as domain admin. Was still given access denied errors. Tried this as domain admin via running with current credentials, and running with specified credentials. I tried both checked and unchecked restricted access.

I then ran as the test account (which was a copied administrator) and was allowed access. I really think that there is a setting on the mx server which is denying the user DOMAIN\Administrator access to this information.

Any more ideas?
0
 
LVL 4

Expert Comment

by:antioed
ID: 21878294
Here we go:  http://www.pcreview.co.uk/forums/thread-1699527.php

DCOM must be enabled and rights configured properly...all covered in the link.
0
 
LVL 1

Author Comment

by:InterWorks
ID: 21878766
I've tried verifying the settings in WBEM/DCOM and things look just fine in there. I've been trough a couple of MS KB articles with details on ensuring the settings were correct.
0
 
LVL 4

Expert Comment

by:antioed
ID: 21878920
Only thing I can think of beyond those requirements being met would be an explicit deny on needed rights for that DA account or the machine's security policy with regard  to some aspect of those required permissions/services.  Good luck!
0
 
LVL 1

Author Comment

by:InterWorks
ID: 21883722
Any more ideas on this? I can successfully remotely view system properties of the specific server if I run compmgmt as a copied account of Administrator (test), but not if I am actually Administrator.

Unfortunately, I wouldn't even know where to look to check local security policies that would affect this.
0
 
LVL 4

Expert Comment

by:antioed
ID: 21885969
Domain Controllers get their security policy from a GPO...this link discusses that a bit...maybe if you poke around that DC GPO you can find some security setting related to the issue you are working on:  http://www.techexams.net/forums/viewtopic.php?p=183519

...sure sounds like that Administrator account is explicitly restricted from this operation (which may be by design) - I think you should see something about that in the DC GPO if that is the case.  Perhaps another expert has some specific insight on why the Administrator account would be specifically not allowed, by default, to perform this sort of function remotely to a DC.  Either way, at least it works with *some* account!
0
 
LVL 1

Author Comment

by:InterWorks
ID: 21999330
I wasn't able to find anything using RSOP to indicate that any access should be denied for any reason based off of the GPO. Any other ideas?
0
 
LVL 1

Author Comment

by:InterWorks
ID: 22073789
No further ideas as of right now. I'm calling Dell up to see if one of their awesome NOS analysts can work on it with me. If we figure this out, I'll post it.
0
 
LVL 1

Accepted Solution

by:
InterWorks earned 0 total points
ID: 22618381
I found this to be an issue with one specific server in the organization - it may be a corrupt profile or bad permissions somewhere. We simply used another server as a workaround.
0

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now