How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Posted on 2011-03-21
Last Modified: 2012-05-11
How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Even though a particular domain user has been given administrator rights on the Server 2003 server, he is unable to access Control Panel on the server since access to this resource is not allowed.

When I log onto the server as a domain administrator, I have full administrator rights and can fully modify and change the server settings.

However, when I log onto the server as this particular domain user who does have administrator rights, I am unable to make any of these changes or modifications.

How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Question by:Knowledgeable
  • 3
  • 2

Author Comment

ID: 35185312
Here is the exact error message (see the screenshot):

“This operating has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.”


Author Comment

ID: 35185413
I receive the exact same error message if I open a command prompt and type in the following command:

runas /user:administrator@domain.local "control.exe"

Please Note: I have changed the actual domain name above, so as not to reveal the name of the company I am consulting for.

The change that I need to make applies to only this one particular domain user (who regularly establishes Remote Desktop sessions to this server) and has to be made while this user is logged onto the server using his domain account.

I have given the user local administrator rights, and domain administrator rights, but I still continue to receive these errors while I am logged onto the server as him.

There are also lots of other restrictions in place, such as not having the Control Panel icon and not being able to access Control Panel in any other method.

I also don't have the ability to right click while logged on as this user.

The only change that I need to make is to change which Exchange server the user connects to when launching Outlook.

Unfortunately, this is a change that I am unable to make at all until I am able to temporarily disable these security settings.

Once I have made this change to the Exchange server setting within Outlook, I will reapply these security settings.

How can I temporarily disable these security settings for this particular user?
LVL 14

Accepted Solution

amichaell earned 500 total points
ID: 35185424
There is most likely a Group Policy Object restricting access.  The GPO has mostly likely been denied to the domain admins group, which is why you are able to access, though the user cannot.  From the server's command line run GPRESULT to determine the GPOs in effect on the server.  

Could also be a local policy (Start -> Run -> GPEDIT.MSC).

Author Comment

ID: 35185432
Where exactly can I find this security setting within the local Group Management console?
LVL 14

Assisted Solution

amichaell earned 500 total points
ID: 35185513
Check under User Configuration -> Administrative Templates -> Control Panel.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question