Administrator lost rights

Be sure to go to control panel -> add/remove programs -> add/remove windows components. you'll see an option about the security settings for regular users.

Also, Start the Add/Remove Windows Components Wizard; you'll find an entry "Internet Explorer Enhanced Security" there -- uninstall it.

Also, right click on my computer, manage, double click on users and computers, double click on the user that you are using, and click the member of tab.  Ensure that they are a member of the administrators group.  If not then add them.  If you cannot add them, then login as a domain administrator or another account with administrator access and add that user to administrators group.

HTH

Is this server has been added to a domain? If so domain group policy may result this behavior. If you have domain rights try to sort that out. Worse case remove it from the domain, add it to a workgroup & give a try.

I am logged in as the "administrator" on a windows server 2003 running active directory.  This is the only server on the network.

Do you have a domain administrator account that you can use?  Did you rename the administrator account to something else and then create that administrator account as a 'dummy' account?

did you just recently reset your administrator password using an unorthodox method?

If you are trying to log in as an administrator this must be the domain administrator account since this is the domain controller. If the previous guy has locked down the rights for administrator there must be a account which he used to do so. Check how many domain administrator account resides in the domain & reset on of that password & do the group policy settings change from there.
Other thing may be the profile corruption, create new domain admin account, log in & try to do the download.

Also, when you login as administrator run gpresult from a cmd prompt.  This will tell you which GPO's are afflicting the administrator account.  You may see a GPO that is stripping some rights from the administrator account.  

What type of anti-virus software are you running?  Can you disable the email scanning portion?  

ignore that....

MightySW  - No, the administrator account password was not reset.  Administrator is part of the "domain admins" group.

apa1556 - There are 3 accounts in the "domain admins" group.  The Administrator is one of those accounts.  I have not tried the other two accounts.  While still logged in as administrator, I tried to create another user account, I get "an error occured -  contact your administrator."  

This behavior occurs when the security settings for the Local intranet zone of the Web browser are set to High.

Windows Internet Explorer 7
Note This resolution assumes that you are using Windows Internet Explorer 7 as your default browser. For information about how to download or upgrade Internet Explorer 7, visit the following Microsoft Web site:
http://microsoft.com/ie (http://microsoft.com/ie)
Start Internet Explorer 7.
Click Tools, and then click Internet Options.
In the Internet Options dialog box, click the Security tab.
Click Local intranet, and then click Custom Level.
Under Reset Custom Settings, click Medium in the Reset to list.
Click OK two times.


Back to the top
Microsoft Internet Explorer 6
Note This resolution assumes that you are using Microsoft Internet Explorer 6 as your default browser. For information about how to download or upgrade to Internet Explorer 6 Service Pack 1, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=1e1550cb-5e5d-48f5-b02b-20b602228de6 (http://microsoft.com/ie)
Start Internet Explorer 6.
On the Tools menu, click Internet Options.
In the Internet Options dialog box, click the Security tab.
Click Local intranet, and then click Custom Level.
Under Reset Custom Settings, click Medium in the Reset to list.
Click OK two times.

I ran Gpresult, but not sure what to look for.  Here is the output:

    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        IIS_WPG
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        SERVER$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
       

USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=company,DC=com
    Last time Group Policy was applied: 1/10/2009 at 10:45:56 PM
    Group Policy was applied from:      SERVER.COMPANY.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        COMPANY
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Group Policy Creator Owners
        Domain Admins
        Schema Admins
        Enterprise Admins
       

That looks fine.

Try the other things we have suggested

Server is running IE 6.  I can't get to Internet Options.  From IE 6, I click Tools, Internet options and nothing happens.

Also, the server is running Symantec Endpoint protection, what will disabling email scanning do?  Doesn't seem like disabling will help any.

Your next course of action would be to recreate the administrator profile as apa suggested.  This is not a big deal.  Just make sure that you can login as a domain administrator.  You need an account, in the domain that has those same rights.  

It is looking more and more like you have spyware/malware issues.  Download Spybot Search and destroy, and transfer from thumb drive or over the network using another account (domain admin).  Install it, run it, and get it cleaned up.  If you still receive the same errors then log back in as the domain admin (by this I mean someone that is a member of the domain adminis group).  Right click on my computer, properties, advanced, user profile settings (middle button), click on administrator and then click delete.  If it is greyed out then reboot the computer again, and try it again with that same domain admin account.

Sorry, you were supposed to ignore that post :)

Can you please try to login as someone who is a member of the domain administrators group besides administrator?

I really see that SEP is a huge problem here.  If you make any changes here then the entire computer could be locked out.  This is why it is now so important that we see if you can make any of the changes with another account (domain admin group account) with SEP installed.  You may have to remove SEP and see if it clears up, but lets cross the other bridges first.  

Login as the domain adminstrator account and see what you can do there.

MightySW - your comment "login as a domain administrator".  If I am logged in as the administrator on the server that is a member of "domain admins" isn't that a domain administrator?  

Use another account other than 'administrator' preferable a member of the domain admins group.  When I am saying domain administrators that is what I am refering to so I appologize for the confusion.  

What are the other two accounts that were listed under the domain administrators group in Active Directory Users and Computers?  Can you add another with your workstation or something?  Do you have the administrator tools installed somewhere else (on your XP desktop)?  

Give that a try, give everything else a try (especially the spybot, search and destroy download and run) and then try to login again as the 'administrator' and see if the problem still exists.

You should have full control of the box with another use that is a member of the domain admins group as they are inherintally a member of the administrators group on the domain controller (your server).

Can you try to add your domain account in to the domain admin group & try to log in. Check * let us know.

MightSW - I disabled SEP (Symantec Endpoint Security), but no change.  Are you suggesting that SEP is not allowing the administrator to run gpedit.msc which is one of the issus.  I tried to run gpedit.msc with SEP disabled, and I get "access is denied".  I also tried to run domain security policy and also got "access is denied".  Seems like this administrator is like a normal user.  I will have to try the other two domain admins, but unfortunately, I don't have their passwords.  

Thats why I asked you to use your own domain account.

apa1556  - I wish I had my own account.  I was just hired to maintain this server today.  So, I tried to create my own account, but could not.  Of course, I was logged in as the "administrator"  

Ok, as MightSW said SEP can cause many issues. How did you disable it, within the program or disabling the services? Try both.
Worse case you have to ask for the permission to reset another domain admin password from your employer, there wont be any issue unless they are running any special software which requires that accounts permissions to start up some services. If any doubts just go through the services & check whether they seek permissions from those account.
Other thing I'm not sure will it allow you to reset the password for those accounts. In that case you have to use a password resetting tool.

Regarding SEP, I turned off the auto-protect.  I just now disabled all of the SEP services, but no luck.

I will have to wait until tomorrow morning to try another domain admin user account.  

Somehow, the previous IT person took out the privileges of the "administrator" account and made it like a regular user account.  But, I don't understand how that can be if the administrator is part of the "domain admins" group.  Am I missing something here.

Some other things to note.  Drive C: is running out of space and I am logged in remotely using Remote Desktop connection.  Not sure if any of these things makes a difference.

This may be either permissions taken out problem or profile corruption.

Because of the RDP connection or low disk space this wont happen.

Sounds like the default domain GPO might have been messed with.

You can get into GPedit.msc by circumvention while logged in as administrator by doing the following:

Start Registry Editor (Regedt32.exe).
Locate the following registry key:
HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC
Locate the RestrictToPermittedSnapins value and change it to 0.
Quit Registry Editor.
Try to start Group Policy Editor.
If you perform these steps and you still receive an error message when you attempt to use Group Policy Editor, use the following steps:
Start Registry Editor (Regedt32.exe).
Locate the following registry key:
HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC
Change the Restrict_Run value to 0 in the following keys if they exist:
{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}

{0F6B957E-509E-11D1-A7CC-0000F87571E3}
Quit Registry Editor.
Try to start Group Policy Editor.

You can see the whole thing here:
http://support.microsoft.com/kb/263166  (its 2000, but it is the same thing)

Also this was useful (top paragraph): http://www.derkeiler.com/Newsgroups/microsoft.public.win2000.security/2003-12/1973.html

Please do not worry about SEP.  That post was supposed to be ignored....

Thanks

Are you able to reset permissions in the files using your present account?

I was able to login with one of the other domain admin accounts as MightSW suggested.  Is there an easy way to reset the GPO to default for the "administrator" account?

The Administrator might be removed from domain Admin group. Try addding it from other admin account.

The "administrator" account is already a member of the "domain admins" group.  I beleve the previous IT person went into the Group Policy Editor and restricted the Administrator account from performing administrator functions.  I am now looking for a quick way to restore the policy for the "administrator" to default.

If you have less number of group policies. check each policies to whom it is linked to. if you are using GPMC then it will be easier. if any of  the policies is linked to administrator, then remove the link. Also check for any restrictions in the default policy. Resultant set of policy tool is also an option for troubleshoot in this case

I ran GPresult and placed the output in the one of the previous comments above.  From the output of GPresult, it shows the Applied GPO for the Administrator is "Default Domain Policy".  

I would try looking at the machine policies instead of the user policies. The security of IE can be applied to the machine and restrict any user that signs on.

PLease refer below article. IS this the case?
http://kbalertz.com/294257/Group-Policy-Error-Message-Occurs-Policy-Domain-Administrator.aspx