Guest Jerry Banasik Posted December 30, 2008 Posted December 30, 2008 I have a new server that seems to be lacking full permissions for Domain Admins. Here is the background and problem: - Windows 2003 domain controllers - All existing servers have the latest updates - Windows 2003 R2 on servers involved - "A" & "B" - Server "A" was renamed to server "B" - Removed from the domain - Renamed to "B" - Rejoined the domain - Server "B" is to be dismantled when server "A" is fully operational - Server "A" was re-created from scratch on new hardware - All updates were applied to server "A" before joining the domain - Domain Admin can login into the server "A" - Domain Admin on server "A" cannot execute programs, download files or write files located on another server - Domain Admin on server "A" cannot use shared DVD drive on another server - Domain Admin on another server can write files to server "A" - Domain Admin on server "A" must authenticate when opening SQL Server 2005 Reporting Service (SSRS) web page - Local Admin account (using Run As) does not have any problems opening SSRS web pages - NetDiag does not find any problems - Domain Admin group is listed in local Administrators group - Domain Admin group is listed in local Users group - Different Domain Admin account has the same problem - Dropped server "A" from the domain - Deleted server "A" from AD an waited 1 hour for changes to propagate to other domain controller - Rejoined server "A" to the domain and problem remains I am running out of things to check and need some suggestions. Thanks Quote
Guest Marcin Posted January 1, 2009 Posted January 1, 2009 Jerry, Do you have any GPOs configured such that they would impact the behavior you described? If so, do Domain Admins have Read and Apply Group Policy permissions to them? What errors are you getting when trying to access remote shared DVD drives on other servers? Have you tried disabling IE Enhanced Security Configuration? hth Marcin "Jerry Banasik" <JerryBanasik@discussions.microsoft.com> wrote in message news:B7EE53B9-840F-42FE-BC20-44AC6C620B02@microsoft.com...<span style="color:blue"> >I have a new server that seems to be lacking full permissions for Domain > Admins. Here is the background and problem: > - Windows 2003 domain controllers > - All existing servers have the latest updates > - Windows 2003 R2 on servers involved - "A" & "B" > - Server "A" was renamed to server "B" > - Removed from the domain > - Renamed to "B" > - Rejoined the domain > - Server "B" is to be dismantled when server "A" is fully operational > - Server "A" was re-created from scratch on new hardware > - All updates were applied to server "A" before joining the domain > - Domain Admin can login into the server "A" > - Domain Admin on server "A" cannot execute programs, download files or > write files located on another server > - Domain Admin on server "A" cannot use shared DVD drive on another server > - Domain Admin on another server can write files to server "A" > - Domain Admin on server "A" must authenticate when opening SQL Server > 2005 > Reporting Service (SSRS) web page > - Local Admin account (using Run As) does not have any problems opening > SSRS > web pages > - NetDiag does not find any problems > - Domain Admin group is listed in local Administrators group > - Domain Admin group is listed in local Users group > - Different Domain Admin account has the same problem > - Dropped server "A" from the domain > - Deleted server "A" from AD an waited 1 hour for changes to propagate to > other domain controller > - Rejoined server "A" to the domain and problem remains > > I am running out of things to check and need some suggestions. > > Thanks > </span> Quote
Guest Jerry Banasik Posted January 2, 2009 Posted January 2, 2009 I did a lot more poking and prodding to determine exactly what was going on. I used Microsoft SysInternals Process Monitor (Procmon.exe ) on “A†and “B†while trying to open files on the other computer. You can see lots of stuff going on, but nothing to indicate any problems. [i did find that shell32.dll was not properly registered on “Aâ€Â, but this did not change anything]. After making more tests I determined that non-executable files like text could be opened by “Aâ€Â; executable file were being blocked! After carefully comparing “A†to “B†I still could not find anything out of place. Then I remembered that Internet Explorer settings can affect local machine and network behavior. I compared IE between “A†and “Bâ€Â, but still did not see any differences. Going back to the fact that text files worked, I knew that it was the local machine blocking anything that looked like an executable. [This is the second installation of this new hardware, but it is not that much different from the other servers which do not have any problems like this. The other new server is running Windows 2008 and did not experience any problems like this, but is not suitable for comparison]. Still IE 7.0 burned on my mind. I did some Google searching and found information that lead me to the answer. It seems that new hardware with Windows 2003 R2 (and all of the updates) requires entries into the Local Intranet Sites on IE 7.0. These entries look like “file://<machinename>†or can be entered as “\\<machinename>†, which get translated to the other entry. So as soon as I entered “\\Bâ€Â, I could remotely run an executable located on “Bâ€Â. THIS IS ONLY REQUIRED ON THIS NEW SERVER WITH WINDOWS 2003! I guess it is the new BIOS, CPU or Chipset that allows IE to have this much control over the machine. Lesson Learned: Microsoft/Intel sure makes things difficult and not very logical sometimes. Thanks for taking the time to try to help me out. Jerry "Marcin" wrote: <span style="color:blue"> > Jerry, > Do you have any GPOs configured such that they would impact the behavior you > described? If so, do Domain Admins have Read and Apply Group Policy > permissions to them? What errors are you getting when trying to access > remote shared DVD drives on other servers? Have you tried disabling IE > Enhanced Security Configuration? > > hth > Marcin > > "Jerry Banasik" <JerryBanasik@discussions.microsoft.com> wrote in message > news:B7EE53B9-840F-42FE-BC20-44AC6C620B02@microsoft.com...<span style="color:green"> > >I have a new server that seems to be lacking full permissions for Domain > > Admins. Here is the background and problem: > > - Windows 2003 domain controllers > > - All existing servers have the latest updates > > - Windows 2003 R2 on servers involved - "A" & "B" > > - Server "A" was renamed to server "B" > > - Removed from the domain > > - Renamed to "B" > > - Rejoined the domain > > - Server "B" is to be dismantled when server "A" is fully operational > > - Server "A" was re-created from scratch on new hardware > > - All updates were applied to server "A" before joining the domain > > - Domain Admin can login into the server "A" > > - Domain Admin on server "A" cannot execute programs, download files or > > write files located on another server > > - Domain Admin on server "A" cannot use shared DVD drive on another server > > - Domain Admin on another server can write files to server "A" > > - Domain Admin on server "A" must authenticate when opening SQL Server > > 2005 > > Reporting Service (SSRS) web page > > - Local Admin account (using Run As) does not have any problems opening > > SSRS > > web pages > > - NetDiag does not find any problems > > - Domain Admin group is listed in local Administrators group > > - Domain Admin group is listed in local Users group > > - Different Domain Admin account has the same problem > > - Dropped server "A" from the domain > > - Deleted server "A" from AD an waited 1 hour for changes to propagate to > > other domain controller > > - Rejoined server "A" to the domain and problem remains > > > > I am running out of things to check and need some suggestions. > > > > Thanks > > </span> > > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.