Problems with my domain admin account. Access denied when triyng to modify workstations settings.

Posted on 2009-05-06
Last Modified: 2012-05-06
Hello and Good Morning:

Recently I installed Windows Server 2003 Standard Edition SP2 and Trend Micro Anti-virus on a Power Edge 650. His  primary role is Domain Controler and File Server. My next step was to add the selected workstations to the domain. Some of this workstations which had Windows XP Pro SP3 and Windows XP Pro SP2 installed are presenting group policy problems, where a domain admin account like mine can't make any changes, like manually configure IP settings to the workstation NIC or add/remove a printer. Is like having a Domain/Admin account with only  Domain/User privileges.

Please help me find a solution to this problem. I'm seeking professional help from you guys.

Thank You.
Question by:Carlos_Miranda
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 18

Accepted Solution

Americom earned 100 total points
ID: 24315394
Are these machines in question joined the domain yet? Or is it already joined the domain but after applying GPO then you lose admin rights? need a bit clarification if possible.
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 50 total points
ID: 24315506
You should run an RSoP report (using GPMC) to see if any "lockdown" policies are applying to admin accounts.  Admin accounts can be affected by GPOs just like any other account.
If you find that there are unwanted policies applying you can use security filtering so the policies don't apply to the admin accounts.  More on security filtering here:

Assisted Solution

alamow earned 100 total points
ID: 24315755
Do you have multiple OUs or all the computer accounts end up in the Computers container?  I have seen this problem when administrators have multiple OUs and give rights to certain personnel for their respective OU.  When the GPO is applied those people are not allowed full rights on their workstations after adding them to the domain because the computer accounts is created automatically in the Computers container, for which they have not been given full rights.  To resolve it without changing the GPO just move the computer account to the container created to store those accounts on the respective OU.  Example:  Workstation1 account is on Computers container - move Workstation1 to the Desktops container inside the HQ OU "HQ\Desktops"
The other solution is to manually create the account and give rights to the admin group or user for the respective OU.

Not sure if this is your case, but hope it helps.
LVL 18

Assisted Solution

Americom earned 100 total points
ID: 24316281
The problem is that admin cannot make changes to a machine such as configuring the TCP/IP settings or add/remove printers. This has nothing to do with computer object being on the default computer container as GPO do not appy to there. It is more like there may be GPO prevent or deny access to all users or to specifict security group which the admin account is a member of the linked to the OU where the computer object is in, as Mike suggested above.

Assisted Solution

alamow earned 100 total points
ID: 24317493
Tha is exactly why I told him to check the location of the Object.  If the GPO prevents (deny) someone from doing that on a machine, it could be because the computer account object in AD is not in the OU where the user does has rights to manage it.

Like I said, I do not know if this is his case (multiple OU with different admins for each one and GPO controlling those access rights).  If is not the case, then all computer account objects are located in a single place for all admins to manage them.  Then the GPO is the problem as, like Americom and Mike said, your admin group is being affected by the GPO.  The GPO is being applied to your admin group.

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question