Announcement

Collapse
No announcement yet.

Permissions issue for Domain Admins, SBS 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Permissions issue for Domain Admins, SBS 2003

    My company has a single SBS 2003 Standard domain controller running our network. There are 3 admins who all have their own Domain Admin user account, in addition to the standard Administrator account which is generally unused.

    When logged in as the default Administrator account, things work fine, however when logged in as our own Domain Admin accounts we experience the following errors:

    Right click on a file in the NETLOGON or SYSVOL share, eg editing login scripts for a group policy, click Edit:

    Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

    However, dragging the file into Notepad works fine and we are able to make the required changes and save it. The output of the Effective Permissions tab in the Advanced Security Settings for the file in question (same problem on every file in there) indicates that we have Full Control access to the files.

    Our accounts in Active Directory are essentially the same as Administrator, the only differences being the username and password, and the fact that Administrator does not have a profile path defined. Our user accounts are in a different OU to Administrator but moving them into the same OU has no effect.

    As a result of this issue, tweaks such as http://www.petri.com/add_unlock_user_option_to_dsa.htm only work when logged in as Administrator.

    Any ideas?
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

  • #2
    Re: Permissions issue for Domain Admins, SBS 2003

    I should add, we experience the same issue when logged in to the server locally or through RDP, or when accessing \\server\netlogon from a client workstation.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Permissions issue for Domain Admins, SBS 2003

      Without looking at your details, there are some things in SBS that only fully work with the 500 account (aka administrator) and not other clone accounts. This may be contrary to Standard Server best practices.
      TIA

      Steven Teiger [SBS-MVP(2003-2009)]
      http://www.wintra.co.il/
      sigpic
      Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

      We donít stop playing because we grow old, we grow old because we stop playing.

      Comment


      • #4
        Re: Permissions issue for Domain Admins, SBS 2003

        This might be a stupid question but are you sure the user accounts and members of both "administrators" and "domain admins"? Or it might be worth making sure domains admins is added to the administrators group.

        I've just looked on a new/clean built SBS2003 box and it's the "administrators" group which gets modify rights to this area by default. Server operators just gets read.
        Last edited by Rednet; 8th September 2008, 12:05.

        Comment


        • #5
          Re: Permissions issue for Domain Admins, SBS 2003

          @Rednet: We're definately all in the appropriate groups: Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator Owners, Mobile Users, Schema Admins, Remote Web Workplace Users, plus a couple of other groups. None of the groups are denied any permissions, we prefer not to use deny if we can help it.

          @teiger: I realise that SBS is not 'just' Windows + Exchange, but if the 'best practices' indicate that administrators should share a single account then I would have to wonder what the logic behind that is. To my mind, the idea of multiple users to one account is to be avoided.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Permissions issue for Domain Admins, SBS 2003

            Then I would ask how many administrators do you need in there - and what are their roles? In a SMALL business server environment, one is usually enough!
            TIA

            Steven Teiger [SBS-MVP(2003-2009)]
            http://www.wintra.co.il/
            sigpic
            Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

            We donít stop playing because we grow old, we grow old because we stop playing.

            Comment


            • #7
              Re: Permissions issue for Domain Admins, SBS 2003

              3 administrators. Being a small company, nobody does a single job. The technical manager is also the quality manager and senior production engineer. The systems manager is also a quality supervisor. I am the only dedicated member of IT staff. Given the nature of the company and the work we do, and given the nature of our users, it is pretty standard that at least 2 of us will be involved with IT at any particular time during the day.

              I realise that SBS imposes limitations, but surely Microsoft would not force all administrators to use a single account, shared by all, providing absolutely no way to track who does what.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment

              Working...
              X