Solved

xp - permission issue

Posted on 2013-01-18
22
1,030 Views
Last Modified: 2013-01-21
hi (im not sure if im going crazy)!!

ive setup a new windows 2003 domain & have added a single pc to the domain as i normally do.

im sure before i set gpo's, i should be able to logon via my xp desktop and physically access my 'tcp/ip properties', but i cannot as it states:

"Some of the controls on this property sheet are disabled because you do not have sufficient privileges to access or change them"

note: im sure i was able to access physically my 'tcp/ip properties', but later after messing around with my gpo settings i then was not able to access the 'tcp/ip properties', but i cannot remember.  so either way i did the following:

my attempted resolution:

step 1
- removed xp desktop from the domain

- logged back onto xp desktop as 'admin' & removed profile account via right click my computer, advanced tab & selected 'user profiles' & i then confirmed the account was also removed from: c:\documents & settings & it was. (somehow im not sure what i did i must have created a simular user name ie almost identical), which i also deleted to make sure

- i then rebooted the machine & logged back on as the 'admin' to confirm user account entries were still deleted & they were.

step 2

- logged onto master dc & removed
- opened gpmc & deleted group policy
- opened aduc - deleted xp machine & deleted 'ou'
- ran gpupdate & gpupdate /force & rebooted
- switched master dc back on & checked all entries were still removed - all good
- created clean new user account in 'default user ou container' but did not create a new ou or group policy at this time

step 3

- switched xp back on & logged on with admin account
- cmd prompt: ipconfig /all - dhcp successfully allocated address as expected, but i also saw 2 entries in the 'dns suffix for my domain name ie:

itservices.local
itservices.local

step 4 - why is below:

- joined xp pc to domain & followed wizard which asked if i wanted to add the user account under - 'standard user, or restricted or admin' & i selected standard, successfully
- xp desktop then rebooted
- logged on with user account to domain successfully
- right clicked pc icon on taskbar, right clicked & received the above message & saw that 'tcp/ip properties was still dimmed out - why ?

step 5

- as the above did not work, i returned to step 1 & created a new 'ou & via gpmc
- logged onto 'aduc' & selected xp desktop & moved to new 'ou' & user account into same 'ou'
- opened up gpmc & created & linked successfully a gpo but did not set any restrictions at this time!!!
- ran gpupdate  & gpupdate /force

step 6

- logged off desktop
- logged back onto xp desktop via domain successfully
- selected pc icon on taskbar, right clicked & received the above message & saw that 'tcp/ip properties was still dimmed out
0
Comment
Question by:mikey250
  • 11
  • 8
  • 3
22 Comments
 
LVL 1

Accepted Solution

by:
George- earned 389 total points
ID: 38792399
Hi

Are you logging on as a local administrator?
0
 

Author Comment

by:mikey250
ID: 38792445
hi,

- yes all changes made by 1 administrator account on master dc
- yes all changes made via xp admin account
- logged back onto xp desktop via user account to check - which is where the issue is.

im thinking i have something unremoved maybe in registry of xp or maybe this double entry of:

itservices.local
itservices.local
0
 
LVL 1

Expert Comment

by:George-
ID: 38792462
If you login to the XP PC with Local administrator account is it greyed out?
0
 
LVL 8

Assisted Solution

by:EvilKnievel
EvilKnievel earned 111 total points
ID: 38792479
If there's no policy, you should always be able to change the settings using the domain administrator account. If that also fails, there might be something set in the 'top level' policy, like the 'domain policy'
0
 

Author Comment

by:mikey250
ID: 38792507
hi george,

if i logon as local admin, then no it is not greyed out and all is ok.
0
 
LVL 1

Assisted Solution

by:George-
George- earned 389 total points
ID: 38792511
and if you login with the domain administrator?
0
 

Author Comment

by:mikey250
ID: 38792521
hi evilknievel, even though i have created an 'ou & installed gpmc & created & linked a group policy there, no i have not changed anything yet.

ive checked the control panel in my 'default domain policy' & 'default domain controller policy', but nothing has been selected, although i have added some customization to a browser ie add 4 specific urls, but that is it.

im not sure if there is a way of setting both of the above back to default settings or something!!
0
 

Author Comment

by:mikey250
ID: 38792552
hi george,

- when i logon to the master dc - i only have 1 admin account so yes
- when i logon to the xp desktop via admin account to domain also, then yes i can access my tcp/ip properties' as expected. - this is what i dont understand, since ive completely removed old user account & ou & gpo.

- the only thing i did exactly the same was name the 'ou' exactly the same, but named the gpo differently & created a brand new/different user account.
0
 
LVL 1

Assisted Solution

by:George-
George- earned 389 total points
ID: 38792651
Is the user you are logging on with a local administrator?
0
 

Author Comment

by:mikey250
ID: 38792669
i only have 3 user accounts for the xp desktop:

- 1 x admin local account - tcp/ip properties accessed ok
- 1 x admin domain account - tcp/ip properties accessed ok
- 1 x domain user acount - tcp/ip properties not accessed

ive obviously done something but have not got a clue!!

qns1.  isnt there a way of putting gpo settings back to their defaults ?
0
 
LVL 1

Assisted Solution

by:George-
George- earned 389 total points
ID: 38792679
Make the domain user a member of the local administrator accounts if yuo want them to access tcp-ip properties.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Assisted Solution

by:George-
George- earned 389 total points
ID: 38792686
To reset GPO objects you could try this link but i have not tried it so can't advise on its success/damage.

http://escapelogic.com/main/node/2
0
 
LVL 1

Assisted Solution

by:George-
George- earned 389 total points
ID: 38792698
0
 

Author Comment

by:mikey250
ID: 38793103
hi george, i did not want the domain user to be a member of the local admin group!!

what i wanted to do was to be able to 'prohibit via my gpo' as the natural method.

i will reset gpo as you suggest anyway!!  thanks
0
 
LVL 1

Assisted Solution

by:George-
George- earned 389 total points
ID: 38793347
What are you trying to achive then?  A local user with normal rights to be able to access the tcp/ip properties?
0
 

Author Comment

by:mikey250
ID: 38793385
yes, & then access the gpo and 'prohibit', so i then know how to enable or disable this.!!

ive just run the 'reset gpo' you stated earlier and now rebooting master dc & will log back on to xp desktop & check.
0
 

Author Comment

by:mikey250
ID: 38793509
we know so far the the admin domain account is ok via xp desktop!!

after following your advice on the master dc where the gpo is configured & running: gpupdate /force & rebooting server, this has not resolved this issue on the xp desktop.

my next steps were as follows:

step 1

logged onto master dc & added domain user in members of tab ie to domain admin group

step 2

rebooted xp desktop & logged on to domain with xp user domain account - but still same issue.

step 3

on xp desktop
ran: secedit /configure /db reset /cfg "c:\windows\security\templates\setup security.inf" /overwrite - which successfully prompted 'yes or no' & i selected 'yes':

but it then states:  cannot perform this operation on built-in accounts
task is completed with error
see log %windir\security\logs\scesrv.log for detail info.
0
 
LVL 8

Expert Comment

by:EvilKnievel
ID: 38793568
You want to do this on your local pc. Add the group 'domain users' to the local 'administrators' group on the pc. Should be fixed then. You don't want domain users being member of domain admins i assume.
0
 

Author Comment

by:mikey250
ID: 38794224
hi yes it worked....!! hurray hurray!!!

qns1.  why did that not happen automatically, as i presume it should have ?

no i dont want the domain users to be a member of the domain admin, as i just joined the domain user to the admin group, in the hope that it would pull down the changes, but it did not.
0
 
LVL 8

Assisted Solution

by:EvilKnievel
EvilKnievel earned 111 total points
ID: 38800805
Glad it worked out!
The reason it did not happen automatically is because it shouldn't happen automatically, by default, domain users are only granted 'user' rights. Hope this clarifies it :)
0
 

Author Comment

by:mikey250
ID: 38800872
hi evil, if i remember correctly im sure i was always able to access in the passed 'tcp/ip properties', to change the specific ip address for eg & only then when i installed gpmc on my server i would then be able to prohibit.

ok thanks for your help anyway. appreciated
0
 

Author Closing Comment

by:mikey250
ID: 38800879
sound advice!!!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now