mhamer
asked on
Windows 2008 Permissions issue Local Admins
example error
RUn Regedit > Windows cannot access the specified device, path .....etc
if i look at file permissions it says administrators and system have full control
my domain account is in administrtors group
but i still get access denied, if i add my name to the regedit.exe directly along side administrators it works.
any reason why the group doesnt seem to be working?
there are GPOS applied but all Computer based none user.
windows 2008 R2
RUn Regedit > Windows cannot access the specified device, path .....etc
if i look at file permissions it says administrators and system have full control
my domain account is in administrtors group
but i still get access denied, if i add my name to the regedit.exe directly along side administrators it works.
any reason why the group doesnt seem to be working?
there are GPOS applied but all Computer based none user.
windows 2008 R2
In Windows 2008 R2, if you have User Account Control (UAC) still turned on, even if you're an administrator of the computer, you will not open programs as an administrator. When performing the run, a pop-up box should appear. Make sure to select Yes, as it's asking you if you want to run the program as an administrator. Otherwise, it will run in the context of your account.
I should also mention, since you said you have GPOs, that any GPOs applying rights could have an effect on your access to certain parts of the registry. You may want to use the Group Policy Management console to verify your GPO settings for possible conflicts.
I should also mention, since you said you have GPOs, that any GPOs applying rights could have an effect on your access to certain parts of the registry. You may want to use the Group Policy Management console to verify your GPO settings for possible conflicts.
ASKER
this is just affceting the fies secured by GPO
eg
%systemroot\regedit.exe
and administrators and system have full control
If i add my name here too i can open the file
dont seem to be any conflicts (rsop)
eg
%systemroot\regedit.exe
and administrators and system have full control
If i add my name here too i can open the file
dont seem to be any conflicts (rsop)
Are you using UAC? If not, have you rebooted since you turned it off? See the following as an example: http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/86e2f00b-ecff-4eb7-820f-5c65bab19760/.
ASKER
Hi, Minoru
Rebooting fixed it thankk you.
but now in a mini dilema, I dont want UAC off or disabled
should I have to turn this off in order to set permissions via GPO???
Rebooting fixed it thankk you.
but now in a mini dilema, I dont want UAC off or disabled
should I have to turn this off in order to set permissions via GPO???
ASKER
Also noticed that files that do work have TRUSTEDINSTALLER as an account with rights
but i cant add this to any where (can you?)
but i cant add this to any where (can you?)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok only way i can resolve at preent is
a: disable UAC
b: add servername\Users group to file permissions (no other groups work)
c: add an individual name
security on the file regedit.exe is servername\administrators | System |TrustedInstaller all full control.
we dont have this on WIn7 so ill try match up the policys in play in win7 see if there are any diffrences but it does seem odd.
a: disable UAC
b: add servername\Users group to file permissions (no other groups work)
c: add an individual name
security on the file regedit.exe is servername\administrators | System |TrustedInstaller all full control.
we dont have this on WIn7 so ill try match up the policys in play in win7 see if there are any diffrences but it does seem odd.
Check this website: http://answers.microsoft.com/en-us/windows/forum/windows_7-files/windows-trusted-installer-denying-access-to-files/5203914d-9357-4b71-a4c5-a2d11d392fff.
From what I remember, TrustedInstaller is part of UAC.
From what I remember, TrustedInstaller is part of UAC.
ASKER
hi, i agree with what the lnk suggests but it is talking about normal files and folders
I dont think changing ownership of all system files is a resonable fix (or is it?)
I dont think changing ownership of all system files is a resonable fix (or is it?)
ASKER
Also another bit of info
Adding. Built in local users group. Servername\users
Makes it work
Even if I remove all members of this group!
Which makes me think it's by design.
But does that ring true with anyone?
Adding. Built in local users group. Servername\users
Makes it work
Even if I remove all members of this group!
Which makes me think it's by design.
But does that ring true with anyone?
Are you saying that the local users group hasn't been given rights to the regedit file? By default, it should have <localcomputer>\Users as having Read & Execute and Read. Same goes for local administrators and SYSTEM. Domain users are local users by default, so they will inherit those rights. Domain admins are local admins by default, so they will inherit those rights. The Windows directory should have local Users with Read & Execute, List folder contents, and Read.
ASKER
yep thats what im saying
the security clamp policy changes rights to files to local\administrators and system
users is removed
by the fact domain users is in local\users is that not saying all users have rights to the file?
I didnt create the policy by the way sent in by th esecuirty chaps.
just couldnt understand the behaviour
the security clamp policy changes rights to files to local\administrators and system
users is removed
by the fact domain users is in local\users is that not saying all users have rights to the file?
I didnt create the policy by the way sent in by th esecuirty chaps.
just couldnt understand the behaviour
ASKER
you got the point's ages ago by the way :-) just cant see any "microsoft" blurb as to why you cant do what they did , as there pushing for a resolution rather than "the policy is wrong"
ASKER
if i add a domain user it does open
same issue as here.
https://www.experts-exchange.com/questions/24182131/Security-groups-not-working-on-domain.html