Announcement

Collapse
No announcement yet.

Access Denied running gpmc.msc from a different domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access Denied running gpmc.msc from a different domain

    I have 2 domains, where DCs were upgraded to 2008 R2 Core. There is a trust established where Domain2 trusts Domain1

    From a 2008 server that has RSAT tools installed, in DOM1, I run the following without any problems:
    runas /netonly /user:MYDOM2.com\usr "mmc dsa.msc /server=MYDOM2" I can also run compmgmt.msc and some others.

    When I run:
    runas /netonly /user:MYDOM2.com\usr "mmc gpmc.msc /server=MYDOM2"



    I receive message: "Access Denied" It gives me an option to pick another domain controller, but only DOM1 is listed, and it is grayed out, I cant change it.
    My user account gets locked out.

    Any suggestions?
    Thank you.
    Last edited by mkozachkov; 4th August 2010, 23:23.

  • #2
    Re: Access Denied running gpmc.msc from a different domain

    Did this work before the upgrade?
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Access Denied running gpmc.msc from a different domain

      Never needed to try it. Used the GPMC on local 2003 DC

      Comment


      • #4
        Re: Access Denied running gpmc.msc from a different domain

        You could of course just remote desktop into the other domain

        EDIT
        Result of a quick
        http://technet.microsoft.com/en-us/l...57(WS.10).aspx

        You appear to need a 2 way trust or disable trust detection
        (This was for 2003 but worth a try in 2008 )
        Last edited by Ossian; 5th August 2010, 06:59.
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Access Denied running gpmc.msc from a different domain

          As I mentioned, This is 2008 Core. There no GUI, and I don't have any PCs in that domain. Anyway, my question is why am I able to use some of the msc and not gpmc ? And if there's a way to fix this ?

          Comment


          • #6
            Re: Access Denied running gpmc.msc from a different domain

            Did you read the second part of my post?
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Access Denied running gpmc.msc from a different domain

              I wouldn't want to make changes to the trust, just to enable this.
              Why would it work on dsa.msc and not on gpmc ?

              Comment


              • #8
                Re: Access Denied running gpmc.msc from a different domain

                As the link says, you can disable Trust Detection in the console.

                Why? - its Microsoft so it works the way they decide to do it. Do you really need to know more?
                Last edited by Ossian; 5th August 2010, 19:15.
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: Access Denied running gpmc.msc from a different domain

                  yes
                  Originally posted by Ossian View Post
                  You appear to need a 2 way trust or disable trust detection
                  (This was for 2003 but worth a try in 2008 )
                  this is the same for Windows 2008 /R2 (with GUI)- You first have to untick 'Enable Trust Detection' on MyDom2

                  For Server Core, you probably can do this by remote-mmc from an other computer in domain2, http://www.petri.com/remotely-manage...r-2008-mmc.htm


                  \Rems
                  Last edited by Rems; 5th August 2010, 19:38.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: Access Denied running gpmc.msc from a different domain

                    Thanks for the confirmation
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: Access Denied running gpmc.msc from a different domain

                      Thank you very much. Un-checking "enable trust detection" worked.

                      Comment

                      Working...
                      X