Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Posted on 2011-03-21
Medium Priority
Last Modified: 2012-05-11
How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Even though a particular domain user has been given administrator rights on the Server 2003 server, he is unable to access Control Panel on the server since access to this resource is not allowed.

When I log onto the server as a domain administrator, I have full administrator rights and can fully modify and change the server settings.

However, when I log onto the server as this particular domain user who does have administrator rights, I am unable to make any of these changes or modifications.

How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Question by:Knowledgeable
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Author Comment

ID: 35185312
Here is the exact error message (see the screenshot):

“This operating has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.”


Author Comment

ID: 35185413
I receive the exact same error message if I open a command prompt and type in the following command:

runas /user:administrator@domain.local "control.exe"

Please Note: I have changed the actual domain name above, so as not to reveal the name of the company I am consulting for.

The change that I need to make applies to only this one particular domain user (who regularly establishes Remote Desktop sessions to this server) and has to be made while this user is logged onto the server using his domain account.

I have given the user local administrator rights, and domain administrator rights, but I still continue to receive these errors while I am logged onto the server as him.

There are also lots of other restrictions in place, such as not having the Control Panel icon and not being able to access Control Panel in any other method.

I also don't have the ability to right click while logged on as this user.

The only change that I need to make is to change which Exchange server the user connects to when launching Outlook.

Unfortunately, this is a change that I am unable to make at all until I am able to temporarily disable these security settings.

Once I have made this change to the Exchange server setting within Outlook, I will reapply these security settings.

How can I temporarily disable these security settings for this particular user?
LVL 14

Accepted Solution

amichaell earned 2000 total points
ID: 35185424
There is most likely a Group Policy Object restricting access.  The GPO has mostly likely been denied to the domain admins group, which is why you are able to access, though the user cannot.  From the server's command line run GPRESULT to determine the GPOs in effect on the server.  

Could also be a local policy (Start -> Run -> GPEDIT.MSC).

Author Comment

ID: 35185432
Where exactly can I find this security setting within the local Group Management console?
LVL 14

Assisted Solution

amichaell earned 2000 total points
ID: 35185513
Check under User Configuration -> Administrative Templates -> Control Panel.

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question