none
Access Denied to RSAT for all 'Domain Admin' Group Members

    Question

  • Hello Guys,

    I think we have got a really unique and weird issue. I am admin of our AD Domain which consists of 4 Domain Controllers across 2 AD sites. I also have Enterprise Admin, Schema Admin and Domain 'Administrators' rights.

    Few Days ago, I turned on my laptop and found that I am not able to connect to 'AD Users & Computers' snap-in and any other RSAT tool related to AD from any remote machine. Even my AD PowerShell snap-in refused to load with an error asking me to see the inner exception. Then I logged on to my domain controller and started the AD Users and Computers Snap in and it loaded perfect and worked well.

    Still to find out why it is not working in my machine, I involved network team and checked if all ports from my laptop network are opened to server, and found that they are proper. Just to check the issue, I removed myself from 'Domain Admins' group and like a miracle, everything worked for me. My AD snap-ins worked from my laptop.

    Now my question is, what permissions are missing for Domain Admins that it is not allowing me to Access AD when I am part of Domain Admins group.

    Expecting a Logical Answer.

    Thanks,

    Sameer Gawde

    Thursday, March 13, 2014 7:36 AM

Answers

  • Domain Admin had become member of too many groups in AD. so it was prompting this error.

    - Sameer Gawde

    • Marked as answer by IN Sameer Gawde Thursday, September 04, 2014 11:53 AM
    Thursday, September 04, 2014 11:53 AM

All replies

  • Hi Sameer,

    Its really weird. Domain Admins are god's of the domain environment. They have all the permissions in that domain. So i dont think they need any additional permissions to access RSAT tools.

    It might be a application issue with the laptop. Try reinstalling the application and also try with another domain administrator account to make sure that this is not a permission issue. 


    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Thursday, March 13, 2014 7:49 AM
  • This issue is with all the users in domain controller group wherein dsa.msc is giving error as access denied but when accessing from one of the four domain controller we are able to access the active directory users and computers.

    One thing we noticed that when we right click and select change domain controller it showing offline for the domain controller from which we are connected or on the domain which we are logged in to.

    Thursday, March 13, 2014 9:28 AM
  • Hello Rafic,

    I have tried this with number of users. I have given some IT users delegated permissions. They are able to access AD through RSAT but when I add any one of them to Domain Admins group, bang! access is gone. If I again remove them from Domain Admins, they get their access back.

    Dont understand why domain's gods have no right to access AD from their machines. :(

    Do MS experts have any answer to this?????

    Regards,

    Sameer Gawde

    Friday, March 14, 2014 10:23 AM
  • Hi Sameer Gawde,

    Would you please let me know complete error messages when use RSAT and PowerShell?

    In addition, the RSAT is based on MMC console. Please check if you have enabled group policy setting to restrict MMC snap-ins? In GPME, please refer to the path: User Configuration-> Policies-> Administrative Templates-> Windows Components-> Microsoft Management Console-> Restrict users to the explicitly permitted list of snap-ins. Meanwhile, please check if you configure the Don't run specified Windows applications setting (path: User Configuration-> Policies-> Administrative Templates-> System-> configure) to limit RSAT and apply to the domain admin group. This issue is really strange. Just please check and confirm. Thanks for understanding.

    Please logon DC via Admin account, then navigate to: ADUC-> Users. Please select and right click Domain Admins group and select Properties. Please select Member Of tab and check which did this group member of.

    Meanwhile, please open Component Services and expand “Component Services-> Computers-> My Computer”.  Then right click My Computer and select Properties. In COM Security tab, under Access Permissions, please check how configure the “Edit Limit”.

    By the way, please navigate to Event Viewer and check if can find some related clues.

    Hope this helps.

    Best regards,

    Justin Gu

    Monday, March 17, 2014 6:00 AM
  • Domain Admin had become member of too many groups in AD. so it was prompting this error.

    - Sameer Gawde

    • Marked as answer by IN Sameer Gawde Thursday, September 04, 2014 11:53 AM
    Thursday, September 04, 2014 11:53 AM