Solved

How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Posted on 2011-03-21
5
478 Views
Last Modified: 2012-05-11
How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Even though a particular domain user has been given administrator rights on the Server 2003 server, he is unable to access Control Panel on the server since access to this resource is not allowed.

When I log onto the server as a domain administrator, I have full administrator rights and can fully modify and change the server settings.

However, when I log onto the server as this particular domain user who does have administrator rights, I am unable to make any of these changes or modifications.

How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

0
Comment
Question by:Knowledgeable
  • 3
  • 2
5 Comments
 

Author Comment

by:Knowledgeable
Comment Utility
Here is the exact error message (see the screenshot):

“This operating has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.”

Restrictions.png
0
 

Author Comment

by:Knowledgeable
Comment Utility
I receive the exact same error message if I open a command prompt and type in the following command:

runas /user:administrator@domain.local "control.exe"

Please Note: I have changed the actual domain name above, so as not to reveal the name of the company I am consulting for.

The change that I need to make applies to only this one particular domain user (who regularly establishes Remote Desktop sessions to this server) and has to be made while this user is logged onto the server using his domain account.

I have given the user local administrator rights, and domain administrator rights, but I still continue to receive these errors while I am logged onto the server as him.

There are also lots of other restrictions in place, such as not having the Control Panel icon and not being able to access Control Panel in any other method.

I also don't have the ability to right click while logged on as this user.

The only change that I need to make is to change which Exchange server the user connects to when launching Outlook.

Unfortunately, this is a change that I am unable to make at all until I am able to temporarily disable these security settings.

Once I have made this change to the Exchange server setting within Outlook, I will reapply these security settings.

How can I temporarily disable these security settings for this particular user?
0
 
LVL 14

Accepted Solution

by:
amichaell earned 500 total points
Comment Utility
There is most likely a Group Policy Object restricting access.  The GPO has mostly likely been denied to the domain admins group, which is why you are able to access, though the user cannot.  From the server's command line run GPRESULT to determine the GPOs in effect on the server.  

Could also be a local policy (Start -> Run -> GPEDIT.MSC).
0
 

Author Comment

by:Knowledgeable
Comment Utility
Where exactly can I find this security setting within the local Group Management console?
0
 
LVL 14

Assisted Solution

by:amichaell
amichaell earned 500 total points
Comment Utility
Check under User Configuration -> Administrative Templates -> Control Panel.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now