[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1556
  • Last Modified:

Domain Admin: Getting Access Denied and Insufficient Rights Dialog Boxes

Just took over a SBS network for a company that outed their old admin. The company is trying to do everything it can to not utilize the old admin any longer... including any future contact.  One of my first tasks was to make sure the old admin could no longer access the network. I logged into the server under the built-in Administrator account, changed that password immediately, but then was shocked to what I found. I could not do many things an admin, and a Domain Admin at that, should be able to do. I cannot, for example, delete the old admins AD user account, I cannot create new user accounts utilizing the Administrator template, etc.  Nothing of privilege can I do. I checked the Domain Admin group, I can confirm I am a part of that group. I checked Group Policy... nothing strange there. Ran a Group Policy report on the Administrator account and it belongs to these security groups:

[domain-name-removed]\Domain Users
BUILTIN\Administrators
NT AUTHORITY\REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
[domain-name-removed]\Domain Admins
[domain-name-removed]\Group Policy Creator Owners

There is no other super-user account that I can find& the only candidate would be the User account for the old admin& a separate account than the Administrator account& but his old account is not part of any special group other than the same listed above& so anything that would block my account from doing much would block his account too.  

Any ideas?
0
Tercestisi
Asked:
Tercestisi
  • 5
  • 4
  • 2
  • +1
1 Solution
 
swallerCommented:
Have you tried creating a new account and give it admin and domain admin privileges?
0
 
TercestisiAuthor Commented:
Yes; I cannot grant anything above User privileges for new accounts.
0
 
Hardeep_SalujaCommented:
any service running in your user context?
try to disable 3rd party services/startup's using msconfig..
Let me know..
Thanks
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
TercestisiAuthor Commented:
No, nothing out of the ordinary.

I'm really stumped here guys. It seems I only have the permissions of a User even though I am logging in as an Admin. Strange too is that I cannot even change the Administrator User account settings in AD. For example, I can ctl-alt-delete and change my Administrator password but if I try to change the Administrator password through AD User interface I get the Active Directory popup box stating Access Denied.
0
 
Hardeep_SalujaCommented:
try resetting your password with enterprise admin (inbuilt) account and then try to see .. it should work
0
 
TercestisiAuthor Commented:
The only inbuilt account is the Administrator account; this is the one I am logging in with.
0
 
ScottGranadoCommented:
ok try this, to gain access to the system account: http://alieneyes.wordpress.com/2006/10/23/how-to-gain-access-to-system-account-the-most-powerful-account-in-windows/

I'm also now thinking that maybe the old administrator modified and did some really weird things to the schema, i'm researching what they could have changed.
0
 
TercestisiAuthor Commented:
Yeah, I thought about the whole admin -> system elevation trick but I didn't attempt it because I figured that wouldn't work in SBS like it did in XP; might be worth a shot.
0
 
Hardeep_SalujaCommented:
hii.. yes u can do it with system account which can be used as a super user and has rights more than admin
but it is not recommended as sometimes it can cause unusal problems on your machine
Instead, you can try tool Erd commander (see sysinternals) which reset password of admin
Erd commander has a tool > Locksmith which resets any password (including administrator)
Check http://www.fullandfree.info/software/erd-commander-2005/

Only limitation is Locksmith utility in ERD Commander 2005 cannot change passwords of domain accounts that are cached
http://support.microsoft.com/kb/935005

Let me know..
Thanks
0
 
TercestisiAuthor Commented:
Hmm... I figured out the problem.

I've been using the Server Management console and accessing the ADUC under the Advanced Management& which should give me the same results& but instead gives me drastically different results than going to Administrative Tools -> ADUC  why would that be? There is no Security tab present when going through Server Management and therefore I was never seeing the permissions as I should.          
0
 
ScottGranadoCommented:
ahh, i'm really glad you found the problem, i've been checking this very frequently for the solution
0
 
Hardeep_SalujaCommented:
ok that's great!!!! :)
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now