?
Solved

"Windows cannot access the specified device, path, or file.You may not have the appropriate permissions to access them item"

Posted on 2009-02-20
22
Medium Priority
?
4,452 Views
Last Modified: 2012-05-06
Hello,

I've been building a dozen or so windows server 2008 standard server recently. Everything was going fine. Then I added them to the new domain I created and I started noticing the User Account Control popups when I logged in as a domain admin. Now all of a sudden (no rhyme or reason) I get the following error when opening any application that comes with windows server:

Windows cannot access the specified device, path, or file.You may not have the appropriate permissions to access them item

I'm a domain admin but no luck. I can't do anything unless I log in as a local administrator instead of on domain. I tried adding Domain Admins to local administrators group and got a popup saying it was already in there, but I guess server 2008 doesn't show this and hides it.

There are a lot of suggestions out there to uninstall IE Enhanced Security Configuration, however there's two problems.

The first is that I don't think you can uninstall in server 2008. You can go to Server Manager, configure IE ESC and turn off for adminsitrators and users (been there done that), but I doubt this uninstalls it.

Secondly, the security requirements for our client require we leave this service on anyway.

Anyone have any ideas. It's not the installation because this is happening on multiple servers now that I've added them to the domain. Just not when I log on locally.

POINTS await a winner. I need this solved ASAP. Thanks!
0
Comment
Question by:GCIT_Manager
  • 12
  • 4
  • 2
  • +3
22 Comments
 
LVL 4

Expert Comment

by:g127404
ID: 23698559
Does this help at all?  I'm no expert in the area, but a google search turned up this:

http://forums.techarena.in/windows-server-help/998423.htm
0
 

Author Comment

by:GCIT_Manager
ID: 23698570
I don't understand. I can't add C:\ to trusted sites. Won't let me. Not valid format.

I tried \\servername and that didn't help either. This whole idea is really odd (it's not your fault :-|  )
0
 
LVL 4

Expert Comment

by:g127404
ID: 23698603
I don't want to waste your time with suggestions or clutter your thread here in the event that someone knows the answer.. but I'd still like to help.  I know the frustration being an IT guy myself.

In further reading I've seen a lot of users reporting firewall issues.  I know it doesn't sound directly connected.. one user said he installed NVIDIA Nforce drivers  that included a firewall which was conflicting with zonealarm.

Also reports of virus scanners such as Trendmicro Internet Security doing this.

I guess the question is... have you installed anything other than the default windows 2008 server OS?

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:McKnife
ID: 23699616
Slowly. First, everything was fine. Then you added them to the domain and you started noticing the User Account Control popups - this is perfectly normal, even with a logged on domain admin. Only the local administrator is not influenced by UAC.
Then you say "Now all of a sudden (no rhyme or reason) I get the following error..." while again saying later "this is happening on multiple servers now that I've added them to the domain" - so it is not all of a sudden, is it? Is it right after adding them to the domain or not?
It should be no problem to locate the point in time when this starts happening. If domain membership causes it, use rsop.msc to see all applied policies.
IE ESC is not responsible for local applications. I suspect a software restriction policy becoming effective. Are those applied to your domain? RSOP would tell you.
0
 
LVL 12

Expert Comment

by:rionroc
ID: 23699756
Hello

Try to set your Sharing and Security model for local accounts to: [Classic - Local Users Authenticate as themselves]. (for testing only)


Great is our GOD.
:)
rionroc

0
 

Author Comment

by:GCIT_Manager
ID: 23701019
g127404:
We have a few third party apps installed but these do not include any firewall type software or drivers. Things like Notepad++.

McKnife: It is right after adding to domain and then logging in as domain account. The only GPO's that exist are the default group policy. We have not created any custom ones yet. I also ran rsop.msc and it showed nothing out the of the default settings. None of the handful that are set indicated anything like this experience. I should also clarify, i can run apps like notepad ++. I just can't open anything in adminsitrator tools or other Microsoft settings windows.
0
 

Author Comment

by:GCIT_Manager
ID: 23701044
RIONROC: your suggested setting is the default as this is was it's set to. still no luck

:-(
0
 

Author Comment

by:GCIT_Manager
ID: 23702992
shameless bump
0
 
LVL 4

Expert Comment

by:g127404
ID: 23703015
You get this error on all dozen servers?  Other than notepadd++ can you list what programs do work and which ones don't work?  Do the programs that don't work, work ok in safe mode? If detaching from the domain does the error still occur?  Have you checked the permsissions on the executables you're trying to run to make sure you do have permission?

If nothing else I believe you get 1 or 2 free incidents to call microsoft with a new server.
0
 

Author Comment

by:GCIT_Manager
ID: 23703215
none of the typical applications found in the System32 folder work.

I haven't tested it yet but I think removing from the domain will make it work, but that's only because then I'll be logging in locally. I already know it works if I log on locally though.

I checked the permissions and there's no deny anywhere.

I may just have to call MSFT. Thanks for the reminder about the free incidents.
0
 
LVL 4

Expert Comment

by:g127404
ID: 23703223
I understand that it's a requirement to leave IE Enhanced Security Configuration, but for the sake of testing, can you go into Add/Remove Programs and find that entry and uninstall it, reboot, and let us know if there is any change?
0
 

Author Comment

by:GCIT_Manager
ID: 23703227
It doesn't show up in add/remove programs in server 2008. It's in the server manager window ("Configured IE ESC"). I already told it to NOT run for administrators and users but still no luck. I've even turned off UAC but all that does is get rid of the security prompt. I still get the error. I've attached the picture to this post.
access-file-error.JPG
0
 

Author Comment

by:GCIT_Manager
ID: 23703239
I contacted them and they said I do NOT have 2 free tickets. this stinks.
0
 

Author Comment

by:GCIT_Manager
ID: 23703267
One note. It works fine on our domain controller computers even when logged in as a domain admin.
0
 

Author Comment

by:GCIT_Manager
ID: 23703280
I also just noticed that in the domain controllers where this access does work, the files have MYDOMAIN\Adminsitrators listed in the security tab with Read&Execute and Read access allowed. In the servers where access is denied, this group isn't in the list, but instead just "SERVERNAME\Administrators" with the same level of access. I'm guessing this is somehow related. this is true in all the windows\sysytem32 admin applications.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 23704276
The domain controllers don't know servername\username anymore, they only have domain\username, that's normal behavior and should not be part of the problem.
Please try the effective permissions tab (for services.msc for example) and have the server list the permissions for your admin account.
Also go one step further in: download and start procmon and have the process of opening services.msc logged and find out about access denials. Use the crosshair to filter the explorer window for a smaller log.
0
 

Author Comment

by:GCIT_Manager
ID: 23705211
Thanks everyone. I have a major deadline for this and thus I have reverted (using our SAN) to pre-AD for all our servers. This issue is one of many I've been having. I'm praying this doesn't happen on the second try. If so I will definitely do your suggestions.

McKnife: before reverting back I tried going to effect permissions, but there was no Add/Remove button for accounts, nor was there the ability to edit any of the file security settings. Grayed out. This was not true on the domain controllers where I could change who I was looking up for effective permissions.

Anyway, if any other ideas please post because there's a chance the issues will come back once I install AD again.

One other question: Do you think I should configure all the roles and features before I add servers to the domain or add them to AD and then add the features and roles? things like IIS, Application Role, etc.

Thanks!
0
 
LVL 1

Expert Comment

by:cristides
ID: 23772212
Un-install IE Enhanced security from Windows Components
0
 
LVL 1

Expert Comment

by:cristides
ID: 23772248
OR ,
Right click on the file and open Properties ;  Under General tab, towards the bottom you will see classified under Security : This file came from another computer and might be blocked to help protect this computer. Unblock it. Click apply > OK
0
 

Author Comment

by:GCIT_Manager
ID: 23773767
cristides: already done. no effect. that security setting isn't there either.

i've resorted to format/reinstall. so far so good. very odd.
0
 

Accepted Solution

by:
GCIT_Manager earned 0 total points
ID: 23836345
nothing fixed this except rebuilding whole environment. I think it may have had to do with corrupt images after runnning sysprep but can't be positive anymore.
0
 

Expert Comment

by:agcousg
ID: 35206360
I have a solution for this although it is now too late.  McAfee antivirus was blocking this and giving the error shown above.  Even after disabling AV this file was still blocked.  To unblock it, you need to right click, properties and click the Unblock box.  This enables the  software again and can be installed.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question