Announcement

Collapse
No announcement yet.

admin account seems to lack admin authority

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • admin account seems to lack admin authority

    Hi,

    I am helping support a mixed 2003 Server/Novell network using Active Directory.

    One of the XP Pro client machines, which is running Novell client, became very unstable and I ended up having to reinstall windows. I then had to uninstall and reinstall Microsoft Office and use various antispy tools to remove a bunch of adware the machine had accumulated. I did all this logged on as the machine's normal user.

    Having gotten the machine stable I then tried to run Windows Update prior to reinstalling Service Pack 2 but the install failed with 0x8007F004 which means insufficient authority. The system also tells me I don't have authority to take a restore point.

    I tried logging on as Domain Administrator but it still tells me I don't have the required admin rights. When I logon as Domain Admin I don't get asked for a windows logon. I have checked AD and as far as I can see Domain Admin should have admin rights.

    I am obviously missing something. Can someone point me in the right direction? Thanks.

  • #2
    Re: admin account seems to lack admin authority

    I'd check to make sure that the local groups contain the proper members (i.e. the Administrators group contains the Administrator account and the Domain Admins group)

    Also, I'd check the to make sure the privileges are set properly. You can use the Security Configuration and Analysis snap-in to do this.
    http://www.microsoft.com/resources/d....mspx?mfr=true
    http://www.microsoft.com/resources/d....mspx?mfr=true

    Of course to gather some of the settings you need admin privileges so that might not work...
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: admin account seems to lack admin authority

      Hi Jeremy,

      Thanks for the link - I will chase that up.

      The Domain Admin account is a member of Admin and Enterprise Admin groups so all looks well there.

      The puzzling thing is why I can't do this when logged on as the normal user. My first task here was to get SP2 installed on all client machines. I've done a dozen logged on as each machine's usual user without issue. This is the only machine to give me problems. I'm assuming the reinstall of windows is involved somehow.

      Comment


      • #4
        Re: admin account seems to lack admin authority

        Originally posted by gsaint
        The Domain Admin account is a member of Admin and Enterprise Admin groups so all looks well there.
        Just to clarify, it sounds like you're talking about the account being a member of AD groups. I was talking about the local groups on the XP machine.


        I did all this logged on as the machine's normal user
        Is this the XP machine's local admin account?
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: admin account seems to lack admin authority

          Hi Jeremy,

          Thanks for your patience. Bear with me as my understanding of security and authority for a machine running in a domain environment is very hazy.

          When I go into Control Panel -> Users the machine's normal user (let's call her M) is listed as an administrator for the machine.

          I ran esentutl /g on c:\windows\security\database\secedit.sdb and it reported no problems.

          I tried running mmc and adding the security configuration snapin but when I tried to open c:\windows\security\database\secedit.sdb I got "access denied"

          While this has been going on I needed to get a list of all product keys for all copies of Microsoft office installed here. So I downloaded a program called produkey which will retrieve them remotely provided you have admin authority on the target machine. I ran produkey on my machine as the domain administrator and it got the keys from M's machine with no trouble.

          This has left me more confused.

          Comment


          • #6
            Re: admin account seems to lack admin authority

            Originally posted by gsaint
            Thanks for your patience. Bear with me as my understanding of security and authority for a machine running in a domain environment is very hazy.
            I'll do my best
            When I go into Control Panel -> Users the machine's normal user (let's call her M) is listed as an administrator for the machine.
            And this is the user used to try and open secedit.sdb?
            I ran esentutl /g on c:\windows\security\database\secedit.sdb and it reported no problems.
            What led you to doing that? Were you getting an error?
            I tried running mmc and adding the security configuration snapin but when I tried to open c:\windows\security\database\secedit.sdb I got "access denied"
            Did you try creating a new database?

            I ran produkey on my machine as the domain administrator and it got the keys from M's machine with no trouble.
            What was the user that you used?

            I'd run gpresults or RSoP in logging mode and see if there's any settings restricting you.
            Also, how did you reinstall Windows? And after the reinstall did you reset the computer account and rejoin the domain?
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: admin account seems to lack admin authority

              Hi Jeremy,

              To answer your questions :

              "And this is the user used to try and open secedit.sdb?" Yes.

              "What led you to doing that?" I ran esentutl because the Microsoft web site recommending doing it to check the security database was clean.

              "Did you try creating a new database?" - No. To be frank I wasn't really sure what I trying do so I stopped on first error.

              "What was the user that you used (for produkey)?" - I did RUNAS using Domain Admin account

              "how did you reinstall Windows? " I booted from the Windows CD and selected the option to install windows.

              "after the reinstall did you reset the computer account and rejoin the domain?" No, after the machine rebooted I just logged on to the domain. All the installed software and user files were still there so I assumed the SID was unchanged.

              I ran gpresult on M's computer using her name and password. Output in attached text file.
              Attached Files

              Comment


              • #8
                Re: admin account seems to lack admin authority

                Afaik the SIDs change.
                Browse to Program Files\Internet Explorer and check the owner of the folder. If it doesn't display a name but just some long number starting with an S then that should explain the error when updating... but I'm doubtful that this is the issue.
                http://support.microsoft.com/?kbid=810881

                Could you run gpresults /v post back?
                Also, try using the Security Configuration and Analysis. Once you have it open in an MMC, rick click Security Configuration and Analysis and select Open Database. Type in a new name instead of selecting a database, click Open and select b]Setup Security[/b]. Look for differences between the two and also be looking for settings that may restrict the admin. Run this under both the local admin account and the domain admin account... see if either or any work.

                I may be barking up the wrong tree with this... I'll have to think about it some.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: admin account seems to lack admin authority

                  Hi Jeremy,

                  Thanks for your patience on this.

                  I went to Melissa's machine, logged on as her.

                  Internet Explorer folder is owned by Administrator.

                  Ran a gpresults /v, result attached as melissa2.txt.

                  Ran mmc as Melissa and as Domain Admin - couldn't see any obvious differences.

                  Ran a securty log as both Attached as Melissa.log & admin.log)

                  Thanks again.
                  Attached Files

                  Comment


                  • #10
                    Re: admin account seems to lack admin authority

                    Nothing jumps out at me. Did some googling and it seems that it may be related to Group Policy.
                    Check out the last post here http://www.anetforums.com/posts.aspx?ThreadIndex=28944
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: admin account seems to lack admin authority

                      Hi Jeremy,

                      Well this grows interesting. I tried to do as link suggested - gpedit.msc. When I clicked on User Rights Assignment all I got was an hour glass. After about ten minutes a message popped up claiming that virtual memory was very low (not true - virtual memory is 1.5 times ram and can grow if required). Half an hour after that I powered off to reboot. I could move the mouse but that was all. Ctrl-Alt-Del didn't get a response.

                      The system took a long while to produce the security logs yesterday but gpresults ran fast enough. User doesn't report any problem running normal app.

                      Regards,

                      Graham

                      Comment


                      • #12
                        Re: admin account seems to lack admin authority

                        Originally posted by gsaint
                        After about ten minutes a message popped up claiming that virtual memory was very low (not true - virtual memory is 1.5 times ram and can grow if required). Half an hour after that I powered off to reboot. I could move the mouse but that was all. Ctrl-Alt-Del didn't get a response.
                        Well judging by your description of the behaviour of your computer, I'd say that it was low on virtual memory. Did you check to see how much memory was in use? (crl + shift + esc -> Performance tab -> PF Usage)

                        Are you sure all the malware is off the computer? Have you run a scan with your AV software and the other various spyware tools? If I'm having trouble with malware that just won't leave I'll run an online scan using something like Kaspersky and/or Symantec so I can at least identify what I'm needing to get rid of.

                        See if this memory thing is a trend. Try following the steps again (gpedit.msc -> User Rights Assignment -> etc.) and if/when the computer slows, open Task Manager to see what processes are using all the memory and cpu cycles.

                        PS - instead of Task Manager, I like to use Process Explorer
                        Regards,
                        Jeremy

                        Network Consultant/Engineer
                        Baltimore - Washington area and beyond
                        www.gma-cpa.com

                        Comment


                        • #13
                          Re: admin account seems to lack admin authority

                          Hi Jeremy,

                          1) Ran Kaspersky online virus scan - it found nothing
                          2) Ran Lavasoft Adaware - found nothing except for some tracking cookies (which I deleted)
                          3) Ran Spybot Search & Destroy - it found Bearshare which it was unable to delete (even doing a reboot and running at startup)
                          4) Ran Xsoftspy which reported Aornum, FunWebProducts,Winpcap and Viewpoint (couldn't remove these as it was unregistered version)

                          Process Manager initially shows

                          Total Memory - 260 M
                          Available - 125 M
                          PF - 212M

                          Kicked off gpedit and clicked on User Rights Assignment. CPU usage immediately jumps to 100% and stays there. PM reports lsass.exe as using all the CPU cycles. PF increases and just keeps steadily growing. Available memory keeps decreasing.

                          BTW the company has not set up any GPO's as yet so the only ones active are the default ones provided by Microsoft.

                          Thanks again for your patience with this.

                          Graham

                          Comment


                          • #14
                            Re: admin account seems to lack admin authority

                            Well it sounds like the computer still has some malware on it that needs to be taken care of.
                            What SP level is the Windows install at? If it's not SP2 I'd download and install it and see if that clears up the errors.
                            Regards,
                            Jeremy

                            Network Consultant/Engineer
                            Baltimore - Washington area and beyond
                            www.gma-cpa.com

                            Comment


                            • #15
                              Re: admin account seems to lack admin authority

                              Hi Jeremy,

                              The machine is currently at SP1. It was the install of SP2 that resulted in the machine going unstable and forcing a reinstall of Windows. This time I decided I'd ensure the machine was malware free and had all other updates installed before applying SP2.

                              I was trying to avoid scrubbing the disk down to bare metal and doing a full install from scratch but its beginning to look as if that's my only option.

                              Comment

                              Working...
                              X