[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Server Permissions

Posted on 2016-09-16
8
Medium Priority
?
74 Views
Last Modified: 2016-09-24
Which server permissions allow/deny running files like "openfiles.exe" or "Get-WMIObject"

I am a domain admin and even tried adding myself as a local administrator on the server itself, neither makes a difference, I just get an "Error: Access is Denied".  One server is Server2008 R2 and the other is a Server2012 R2

Thanks
0
Comment
Question by:Mick Finley
  • 4
  • 2
  • 2
8 Comments
 
LVL 6

Author Comment

by:Mick Finley
ID: 41802162
Ok, I discovered it does execute if I choose "run as administrator"...but why, this is only on a couple of servers, not all of them, what would be different for one Server2008 R2 to require ir, but not another Server2008 R2?
0
 
LVL 6

Accepted Solution

by:
Mick Finley earned 0 total points
ID: 41802208
I think I have found it.  Within 'Local Security Policy'>Security Options, there is a policy enabled called 'User Account Control: Run all administrators in Admin Approval mode' ...I can't restart the server yet to know for sure, but it sounds promising and is set different than my other servers
0
 
LVL 81

Expert Comment

by:arnold
ID: 41802641
Once local security policy is changed, the effect should be immediate.  The restrictions implemented for the UAC and similar in 2008 and newer is to avoid compromises that existing in the prior version to shield the system from compromises.

It sounds that on this server, your UAC prompt is disabled, while on the others with this setting still in place, you get prompted when an elevated access is needed that is not present on this one.  Check the control panel and UAC settings to make sure you get prompted in the event rights elevation is required to perform a task.

Think long and hard on whether you want to weaken the "security mechanism" on your system.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 43

Expert Comment

by:Steve Knight
ID: 41802666
Agreed there... leave us on if possible!

When you run on a pc or server with us turned on as an admin then you get the rights associated with none admin groups.  e.g. if you try and amend files in a direction and domain users have read and domain administrator have modify rights then unless you run as admin you get the read access associated with normal users group.

Much more to it than that but helps protect your systems and data when you use admin accounts - e.g. if you are using a domain admin accounts on your workstation to login ..
0
 
LVL 6

Author Comment

by:Mick Finley
ID: 41805368
UAC on windows is very much like root on linux.  It's just annoying, but since I have found the workaround and know why it's doing it, that was all I needed.  Asking a question sometimes, makes a person think a bit more and I had it figured out very quick right after posting this...thanks for the replies all and maybe it'll help someone else in the future.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 41805379
Really would suggest leaving UAC enabled, all you have to do is start the script or batch file with right click, run as administrator when needed.
0
 
LVL 81

Expert Comment

by:arnold
ID: 41805569
Just be forewarned, the changes you made you may regret. Check the other systems in the same way to see whether they too have the "solution" you implemented on this system.
0
 
LVL 6

Author Closing Comment

by:Mick Finley
ID: 41813607
I posted my own solution.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article on how to answer questions, earn points and become an expert.
This article provides a step by step guide (with screenshots) showing how to create a new local (test) Administrator user profile in Windows 10 for troubleshooting purposes, and then how to remove it.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Loops Section Overview

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question