Announcement

Collapse
No announcement yet.

Restricted Domain admin on 2003 R2

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restricted Domain admin on 2003 R2

    Good Morning,

    I have an interesting situation. I recently built a standalone server (2003 R2 Standard Edition), which is a member of our domain, but not a DC. After a couple of logins, the domain admin accounts that we use have been severely restricted by policy of some sort. As a domain admin I can no longer administer the server, and all programs, etc. are no longer showing in Start menu. I do have full admin rights by logging on to the local machine as the local admin. No local policies have been configured for this machine, so there have been no restrictions purposely set.
    All other servers in the Domain are 2003 Standard, not the R2 release and this problem does not exist on any of them.

    Any ideas would be appreciated.

  • #2
    Re: Restricted Domain admin on 2003 R2

    What policies do apply to that box?
    Can you run any of the apps if you find the executable?
    Did these domain admin accounts see the start menu originally and now see less or did they only ever see the reduced menu (i.e. the default and all user profiles have been changed)?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Restricted Domain admin on 2003 R2

      This box is in the same AD OU as the other servers in the domain. Initially this box allowed full access, then login by login starting restricting the permissions on all domain/enterprise admins. All end users are able to access the shares, etc. and backups all run without a hitch. Being unable to see any executables or the run line, I don't know if these accounts can run them.

      Comment


      • #4
        Re: Restricted Domain admin on 2003 R2

        The box may be in the same OU but are the users?
        What does gpresult show?

        Can you drop some shortcuts on the desktop or C: just to test?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Restricted Domain admin on 2003 R2

          Hi,

          I've had a similar situation. In my case the server is a DC - but is still 2003 Std R2 SP2.

          I connected to the server in the morning with my Domain Admin account and all worked fine. However when I tried to log back in after an unexpected reboot (SAN problems messing with the VM's) I encountered the problem, eg: all secure/admin only files were unavailable to me; I couldn't restart any services - basically I had "user" only access. When I attempted similar on the W2K3 Std (original flavour, not R2) there was no problem - so it appears to be an R2 issue.

          I checked all security, settings, etc... I even tried adding "Enterprise Admin" to my account (because the "Administrator" user still had full access), but no luck. I eventually just added the Domain Admins to the BuiltIn\Administrators group. Problem solved.

          However, it still doesn't answer the question: why did this occur, especially considering there were no updates?

          (While I've fixed the problem, I'm submitting this post as it may help someone else. Any thoughts on the problem would be appreciated though!!).

          Comment


          • #6
            Re: Restricted Domain admin on 2003 R2

            There may be a GPO running that is changing group membership.

            Comment


            • #7
              Re: Restricted Domain admin on 2003 R2

              Thanks so much, Virtual... you are right.

              There was a Restricted Group set up that changed the members of the Builtin\Administrators group.

              Comment

              Working...
              X