How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Posted on 2011-03-21
Last Modified: 2012-05-11
How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Even though a particular domain user has been given administrator rights on the Server 2003 server, he is unable to access Control Panel on the server since access to this resource is not allowed.

When I log onto the server as a domain administrator, I have full administrator rights and can fully modify and change the server settings.

However, when I log onto the server as this particular domain user who does have administrator rights, I am unable to make any of these changes or modifications.

How can I turn off the restrictions that prevent logged on users from accessing things such as Control Panel on a Server 2003 server?

Question by:Knowledgeable
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Author Comment

ID: 35185312
Here is the exact error message (see the screenshot):

“This operating has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.”


Author Comment

ID: 35185413
I receive the exact same error message if I open a command prompt and type in the following command:

runas /user:administrator@domain.local "control.exe"

Please Note: I have changed the actual domain name above, so as not to reveal the name of the company I am consulting for.

The change that I need to make applies to only this one particular domain user (who regularly establishes Remote Desktop sessions to this server) and has to be made while this user is logged onto the server using his domain account.

I have given the user local administrator rights, and domain administrator rights, but I still continue to receive these errors while I am logged onto the server as him.

There are also lots of other restrictions in place, such as not having the Control Panel icon and not being able to access Control Panel in any other method.

I also don't have the ability to right click while logged on as this user.

The only change that I need to make is to change which Exchange server the user connects to when launching Outlook.

Unfortunately, this is a change that I am unable to make at all until I am able to temporarily disable these security settings.

Once I have made this change to the Exchange server setting within Outlook, I will reapply these security settings.

How can I temporarily disable these security settings for this particular user?
LVL 14

Accepted Solution

amichaell earned 500 total points
ID: 35185424
There is most likely a Group Policy Object restricting access.  The GPO has mostly likely been denied to the domain admins group, which is why you are able to access, though the user cannot.  From the server's command line run GPRESULT to determine the GPOs in effect on the server.  

Could also be a local policy (Start -> Run -> GPEDIT.MSC).

Author Comment

ID: 35185432
Where exactly can I find this security setting within the local Group Management console?
LVL 14

Assisted Solution

amichaell earned 500 total points
ID: 35185513
Check under User Configuration -> Administrative Templates -> Control Panel.

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question