Solved

Domain Admin: Getting Access Denied and Insufficient Rights Dialog Boxes

Posted on 2008-10-08
12
1,522 Views
Last Modified: 2008-10-21
Just took over a SBS network for a company that outed their old admin. The company is trying to do everything it can to not utilize the old admin any longer... including any future contact.  One of my first tasks was to make sure the old admin could no longer access the network. I logged into the server under the built-in Administrator account, changed that password immediately, but then was shocked to what I found. I could not do many things an admin, and a Domain Admin at that, should be able to do. I cannot, for example, delete the old admins AD user account, I cannot create new user accounts utilizing the Administrator template, etc.  Nothing of privilege can I do. I checked the Domain Admin group, I can confirm I am a part of that group. I checked Group Policy... nothing strange there. Ran a Group Policy report on the Administrator account and it belongs to these security groups:

[domain-name-removed]\Domain Users
BUILTIN\Administrators
NT AUTHORITY\REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
[domain-name-removed]\Domain Admins
[domain-name-removed]\Group Policy Creator Owners

There is no other super-user account that I can find& the only candidate would be the User account for the old admin& a separate account than the Administrator account& but his old account is not part of any special group other than the same listed above& so anything that would block my account from doing much would block his account too.  

Any ideas?
0
Comment
Question by:Tercestisi
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 7

Expert Comment

by:swaller
ID: 22675085
Have you tried creating a new account and give it admin and domain admin privileges?
0
 

Author Comment

by:Tercestisi
ID: 22675252
Yes; I cannot grant anything above User privileges for new accounts.
0
 
LVL 6

Expert Comment

by:Hardeep_Saluja
ID: 22675351
any service running in your user context?
try to disable 3rd party services/startup's using msconfig..
Let me know..
Thanks
0
 

Author Comment

by:Tercestisi
ID: 22679928
No, nothing out of the ordinary.

I'm really stumped here guys. It seems I only have the permissions of a User even though I am logging in as an Admin. Strange too is that I cannot even change the Administrator User account settings in AD. For example, I can ctl-alt-delete and change my Administrator password but if I try to change the Administrator password through AD User interface I get the Active Directory popup box stating Access Denied.
0
 
LVL 6

Expert Comment

by:Hardeep_Saluja
ID: 22683605
try resetting your password with enterprise admin (inbuilt) account and then try to see .. it should work
0
 

Author Comment

by:Tercestisi
ID: 22683623
The only inbuilt account is the Administrator account; this is the one I am logging in with.
0
 
LVL 2

Expert Comment

by:ScottGranado
ID: 22683798
ok try this, to gain access to the system account: http://alieneyes.wordpress.com/2006/10/23/how-to-gain-access-to-system-account-the-most-powerful-account-in-windows/

I'm also now thinking that maybe the old administrator modified and did some really weird things to the schema, i'm researching what they could have changed.
0
 

Author Comment

by:Tercestisi
ID: 22684093
Yeah, I thought about the whole admin -> system elevation trick but I didn't attempt it because I figured that wouldn't work in SBS like it did in XP; might be worth a shot.
0
 
LVL 6

Expert Comment

by:Hardeep_Saluja
ID: 22691461
hii.. yes u can do it with system account which can be used as a super user and has rights more than admin
but it is not recommended as sometimes it can cause unusal problems on your machine
Instead, you can try tool Erd commander (see sysinternals) which reset password of admin
Erd commander has a tool > Locksmith which resets any password (including administrator)
Check http://www.fullandfree.info/software/erd-commander-2005/

Only limitation is Locksmith utility in ERD Commander 2005 cannot change passwords of domain accounts that are cached
http://support.microsoft.com/kb/935005

Let me know..
Thanks
0
 

Accepted Solution

by:
Tercestisi earned 0 total points
ID: 22694438
Hmm... I figured out the problem.

I've been using the Server Management console and accessing the ADUC under the Advanced Management& which should give me the same results& but instead gives me drastically different results than going to Administrative Tools -> ADUC  why would that be? There is no Security tab present when going through Server Management and therefore I was never seeing the permissions as I should.          
0
 
LVL 2

Expert Comment

by:ScottGranado
ID: 22737122
ahh, i'm really glad you found the problem, i've been checking this very frequently for the solution
0
 
LVL 6

Expert Comment

by:Hardeep_Saluja
ID: 22746741
ok that's great!!!! :)
0

Join & Write a Comment

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now