Solved

Security Permissions Issues

Posted on 2016-10-21
10
59 Views
Last Modified: 2016-10-21
I'm having some permissions issues and don't know what I'm doing wrong.

I had a Win7 PC (MAE-PC) which had one user: Michael.  This user is in the local Administrators group (see snapshot)

I added a local server and started up AD DS, DNS and DHCP and created a Domain Admin called Michael (Michael@ESCARRAF.COM).

I added the Win7 PC (MAE-PC) to the Domain.  Then went into the Local Users and Groups for the PC and added the Domain Admin (Michael@ESCARRAF.COM) to the Local Administrators group (see snapshot).  

When I login to MAE-PC\Michael (local Admin) I can install programs fine.  But, when I login as ESCARRAF\Michael, it says permission denied on the C:\Program Files and C:\Program FIles (x86) folders.

So, when I check the Security tab on C:\Program Files I see that LOCAL Administrators have no access and Users have Read/Execute.  How is that even possible?  Anyway, my main issue is that I can't install anything when logged in with a Domain user.  See snapshot for security settings on C:\Program Files.  I have NEVER touched these permissions.

I did notice that for C:\Program Files, C:\Program Files (x86), C:\Users and C:\Windows, the permissions are NOT inherited from C:\

Michael
2016-10-21_10-36-49.jpg
2016-10-21_10-58-26.jpg
2016-10-21_10-58-48.jpg
2016-10-21_10-59-13.jpg
0
Comment
Question by:Michael
  • 4
  • 3
  • 3
10 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
Comment Utility
Simply scroll down on https://filedb.experts-exchange.com/incoming/2016/10_w43/1123503/2016-10-21_10-58-48.jpg
You'll see that there is a checkbox "special permissions" checked for administrators. They have all access.
0
 

Author Comment

by:Michael
Comment Utility
My main questions is why doesn't ESCARRAF.COM/Michael have access?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
UAC filters the domain admin's token. It will only take effect when Michael elevates.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
Comment Utility
To McKnife's point, when you install as local user, do you get promted for UAC elevation, if so, when you login with the donain account, do you get prompted with UAC as well?
Your AD GPO might set uac not to prompt (notify, never) which will explain the difference in handling.
Do you get the same error if you right click on the setup, installer and run it as administrator.
0
 

Author Comment

by:Michael
Comment Utility
Let me try to right click. I do know that I have UAC disabled so that shouldn't be the issue. I don't get prompted ever.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 53

Expert Comment

by:McKnife
Comment Utility
With uac off, it has to work. So it's defective behavior. Try a repair installation aka in place upgrade.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
With UAC off, the domain account even as part of the local administrators group falls under more scrutiny compared to the local account that is a member of the local administrators group.

Do you have any anti-virus application on the system/internet security application that might be enforcing/denying the domain user install attempt?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
I disagree. No difference between different admins when uac is off.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
is the domain account also a member of the domain users group?
0
 

Author Comment

by:Michael
Comment Utility
Fixed!  After rebooting all is fine!  Perhaps the domain didn't authenticate thus the NT Authority wasn't a a valid user?

Thanks for the responses!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 74
Manual DNS and blocking mapped drives 8 69
Powershell script update 2 28
RDP Sonicwall 8 22
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now