Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Server Permissions

Posted on 2016-09-16
8
Medium Priority
?
71 Views
Last Modified: 2016-09-24
Which server permissions allow/deny running files like "openfiles.exe" or "Get-WMIObject"

I am a domain admin and even tried adding myself as a local administrator on the server itself, neither makes a difference, I just get an "Error: Access is Denied".  One server is Server2008 R2 and the other is a Server2012 R2

Thanks
0
Comment
Question by:Mick Finley
  • 4
  • 2
  • 2
8 Comments
 
LVL 6

Author Comment

by:Mick Finley
ID: 41802162
Ok, I discovered it does execute if I choose "run as administrator"...but why, this is only on a couple of servers, not all of them, what would be different for one Server2008 R2 to require ir, but not another Server2008 R2?
0
 
LVL 6

Accepted Solution

by:
Mick Finley earned 0 total points
ID: 41802208
I think I have found it.  Within 'Local Security Policy'>Security Options, there is a policy enabled called 'User Account Control: Run all administrators in Admin Approval mode' ...I can't restart the server yet to know for sure, but it sounds promising and is set different than my other servers
0
 
LVL 80

Expert Comment

by:arnold
ID: 41802641
Once local security policy is changed, the effect should be immediate.  The restrictions implemented for the UAC and similar in 2008 and newer is to avoid compromises that existing in the prior version to shield the system from compromises.

It sounds that on this server, your UAC prompt is disabled, while on the others with this setting still in place, you get prompted when an elevated access is needed that is not present on this one.  Check the control panel and UAC settings to make sure you get prompted in the event rights elevation is required to perform a task.

Think long and hard on whether you want to weaken the "security mechanism" on your system.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 43

Expert Comment

by:Steve Knight
ID: 41802666
Agreed there... leave us on if possible!

When you run on a pc or server with us turned on as an admin then you get the rights associated with none admin groups.  e.g. if you try and amend files in a direction and domain users have read and domain administrator have modify rights then unless you run as admin you get the read access associated with normal users group.

Much more to it than that but helps protect your systems and data when you use admin accounts - e.g. if you are using a domain admin accounts on your workstation to login ..
0
 
LVL 6

Author Comment

by:Mick Finley
ID: 41805368
UAC on windows is very much like root on linux.  It's just annoying, but since I have found the workaround and know why it's doing it, that was all I needed.  Asking a question sometimes, makes a person think a bit more and I had it figured out very quick right after posting this...thanks for the replies all and maybe it'll help someone else in the future.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 41805379
Really would suggest leaving UAC enabled, all you have to do is start the script or batch file with right click, run as administrator when needed.
0
 
LVL 80

Expert Comment

by:arnold
ID: 41805569
Just be forewarned, the changes you made you may regret. Check the other systems in the same way to see whether they too have the "solution" you implemented on this system.
0
 
LVL 6

Author Closing Comment

by:Mick Finley
ID: 41813607
I posted my own solution.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question