Domain Admin: Getting Access Denied and Insufficient Rights Dialog Boxes

Just took over a SBS network for a company that outed their old admin. The company is trying to do everything it can to not utilize the old admin any longer... including any future contact.  One of my first tasks was to make sure the old admin could no longer access the network. I logged into the server under the built-in Administrator account, changed that password immediately, but then was shocked to what I found. I could not do many things an admin, and a Domain Admin at that, should be able to do. I cannot, for example, delete the old admins AD user account, I cannot create new user accounts utilizing the Administrator template, etc.  Nothing of privilege can I do. I checked the Domain Admin group, I can confirm I am a part of that group. I checked Group Policy... nothing strange there. Ran a Group Policy report on the Administrator account and it belongs to these security groups:

[domain-name-removed]\Domain Users
BUILTIN\Administrators
NT AUTHORITY\REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
[domain-name-removed]\Domain Admins
[domain-name-removed]\Group Policy Creator Owners

There is no other super-user account that I can find& the only candidate would be the User account for the old admin& a separate account than the Administrator account& but his old account is not part of any special group other than the same listed above& so anything that would block my account from doing much would block his account too.  

Any ideas?
TercestisiAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
TercestisiConnect With a Mentor Author Commented:
Hmm... I figured out the problem.

I've been using the Server Management console and accessing the ADUC under the Advanced Management& which should give me the same results& but instead gives me drastically different results than going to Administrative Tools -> ADUC  why would that be? There is no Security tab present when going through Server Management and therefore I was never seeing the permissions as I should.          
0
 
swallerCommented:
Have you tried creating a new account and give it admin and domain admin privileges?
0
 
TercestisiAuthor Commented:
Yes; I cannot grant anything above User privileges for new accounts.
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
Hardeep_SalujaCommented:
any service running in your user context?
try to disable 3rd party services/startup's using msconfig..
Let me know..
Thanks
0
 
TercestisiAuthor Commented:
No, nothing out of the ordinary.

I'm really stumped here guys. It seems I only have the permissions of a User even though I am logging in as an Admin. Strange too is that I cannot even change the Administrator User account settings in AD. For example, I can ctl-alt-delete and change my Administrator password but if I try to change the Administrator password through AD User interface I get the Active Directory popup box stating Access Denied.
0
 
Hardeep_SalujaCommented:
try resetting your password with enterprise admin (inbuilt) account and then try to see .. it should work
0
 
TercestisiAuthor Commented:
The only inbuilt account is the Administrator account; this is the one I am logging in with.
0
 
ScottGranadoCommented:
ok try this, to gain access to the system account: http://alieneyes.wordpress.com/2006/10/23/how-to-gain-access-to-system-account-the-most-powerful-account-in-windows/

I'm also now thinking that maybe the old administrator modified and did some really weird things to the schema, i'm researching what they could have changed.
0
 
TercestisiAuthor Commented:
Yeah, I thought about the whole admin -> system elevation trick but I didn't attempt it because I figured that wouldn't work in SBS like it did in XP; might be worth a shot.
0
 
Hardeep_SalujaCommented:
hii.. yes u can do it with system account which can be used as a super user and has rights more than admin
but it is not recommended as sometimes it can cause unusal problems on your machine
Instead, you can try tool Erd commander (see sysinternals) which reset password of admin
Erd commander has a tool > Locksmith which resets any password (including administrator)
Check http://www.fullandfree.info/software/erd-commander-2005/

Only limitation is Locksmith utility in ERD Commander 2005 cannot change passwords of domain accounts that are cached
http://support.microsoft.com/kb/935005

Let me know..
Thanks
0
 
ScottGranadoCommented:
ahh, i'm really glad you found the problem, i've been checking this very frequently for the solution
0
 
Hardeep_SalujaCommented:
ok that's great!!!! :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.