J.R. Sitman
asked on
2012 R2 server does not have domain administrator as a user
I'm logged on to a new 2012 R2 server that my assistant built. (his first) I was trying to run a Powershell script and it failed with "access denied' to files I was trying to delete in the system32 folder.
When I checked the security permissions there was no domain administrator in there.
I looked in users and the only user was Administrator for the computer, not the domain.
I've never seen this before. What is wrong and how do I fix it?
When I checked the security permissions there was no domain administrator in there.
I looked in users and the only user was Administrator for the computer, not the domain.
I've never seen this before. What is wrong and how do I fix it?
The domain users (including domain groups and user) do not show locally unless you are checking group members or ACLs assigned to resources such as files/folders. Where are you checking? Please post some screenshots
No idea why you added the user... I never do that. The Domain Administrator is part of the Domain Administrators group. By Default, this group is included in the local computer's "Administrators" group. So thanks to group membership, you have the administrator rights.
Would have been helpful to post the PowerShell window's errors (including the window title).... my guess is that you weren't running the Powershell command as an administrator. (By default, even if you're an admin, you don't run things with admin rights for security).
Would have been helpful to post the PowerShell window's errors (including the window title).... my guess is that you weren't running the Powershell command as an administrator. (By default, even if you're an admin, you don't run things with admin rights for security).
ASKER
Why doesn't the domain admin show in the securities properties?
Remove-Item : Cannot remove item C:\Windows\System32\Lock64 .dll: Access to the path 'C:\Windows\System32\Lock6 4.dll'
is denied.
At C:\removalscript\Tricerat v4 Removal Script.ps1:337 char:5
+ Remove-Item $env:windir'\System32\Lock *'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~
+ CategoryInfo : PermissionDenied: (C:\Windows\System32\Lock6 4.dll:File Info) [Remove-Item], UnauthorizedA
ccessException
+ FullyQualifiedErrorId : RemoveFileSystemItemUnAuth orizedAcce ss,Microso ft.PowerSh ell.Comman ds.RemoveI temCommand
Remove-Item : Cannot remove item C:\Windows\System32\LockSc reenConten t.dll: Access to the path
'C:\Windows\System32\LockS creenConte nt.dll' is denied.
At C:\removalscript\Tricerat v4 Removal Script.ps1:337 char:5
+ Remove-Item $env:windir'\System32\Lock *'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~
+ CategoryInfo : PermissionDenied: (C:\Windows\Syst...reenCon tent.dll:F ileInfo) [Remove-Item], Unauthoriz
edAccessException
+ FullyQualifiedErrorId : RemoveFileSystemItemUnAuth orizedAcce ss,Microso ft.PowerSh ell.Comman ds.RemoveI temCommand
Remove-Item : Cannot remove item C:\Windows\System32\LockSc reenConten tHost.dll: Access to the path
'C:\Windows\System32\LockS creenConte ntHost.dll ' is denied.
At C:\removalscript\Tricerat v4 Removal Script.ps1:337 char:5
+ Remove-Item $env:windir'\System32\Lock *'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~
+ CategoryInfo : PermissionDenied: (C:\Windows\Syst...Content Host.dll:F ileInfo) [Remove-Item], Unauthoriz
edAccessException
+ FullyQualifiedErrorId : RemoveFileSystemItemUnAuth orizedAcce ss,Microso ft.PowerSh ell.Comman ds.RemoveI temCommand
Remove-Item : Cannot remove item C:\Windows\System32\LockSc reenConten tServer.ex e: Access to the path
'C:\Windows\System32\LockS creenConte ntServer.e xe' is denied.
At C:\removalscript\Tricerat v4 Removal Script.ps1:337 char:5
+ Remove-Item $env:windir'\System32\Lock *'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~
+ CategoryInfo : PermissionDenied: (C:\Windows\Syst...ntentSe rver.exe:F ileInfo) [Remove-Item], Unauthoriz
edAccessException
+ FullyQualifiedErrorId : RemoveFileSystemItemUnAuth orizedAcce ss,Microso ft.PowerSh ell.Comman ds.RemoveI temCommand
Cleanup failed. Manual cleanup required.
PS C:\removalscript>
Remove-Item : Cannot remove item C:\Windows\System32\Lock64
is denied.
At C:\removalscript\Tricerat v4 Removal Script.ps1:337 char:5
+ Remove-Item $env:windir'\System32\Lock
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Windows\System32\Lock6
ccessException
+ FullyQualifiedErrorId : RemoveFileSystemItemUnAuth
Remove-Item : Cannot remove item C:\Windows\System32\LockSc
'C:\Windows\System32\LockS
At C:\removalscript\Tricerat v4 Removal Script.ps1:337 char:5
+ Remove-Item $env:windir'\System32\Lock
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Windows\Syst...reenCon
edAccessException
+ FullyQualifiedErrorId : RemoveFileSystemItemUnAuth
Remove-Item : Cannot remove item C:\Windows\System32\LockSc
'C:\Windows\System32\LockS
At C:\removalscript\Tricerat v4 Removal Script.ps1:337 char:5
+ Remove-Item $env:windir'\System32\Lock
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Windows\Syst...Content
edAccessException
+ FullyQualifiedErrorId : RemoveFileSystemItemUnAuth
Remove-Item : Cannot remove item C:\Windows\System32\LockSc
'C:\Windows\System32\LockS
At C:\removalscript\Tricerat v4 Removal Script.ps1:337 char:5
+ Remove-Item $env:windir'\System32\Lock
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Windows\Syst...ntentSe
edAccessException
+ FullyQualifiedErrorId : RemoveFileSystemItemUnAuth
Cleanup failed. Manual cleanup required.
PS C:\removalscript>
Ok, so the next question is, does the Domain Admins group belong to the local Administrators group on the computer? Check in Computer Management.
What's the permissions on the files in question (that you're trying to remove)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That fixed that problem, but there are more. See post below
https://www.experts-exchange.com/questions/29040141/Windows-server-2012-R2-permissions-on-services-get-Access-denied.html
https://www.experts-exchange.com/questions/29040141/Windows-server-2012-R2-permissions-on-services-get-Access-denied.html
ASKER
Thanks
Is this joined to another domain or is it a standalone DC?