Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
W2k8 R2 Domain: Permission problem

Locked W2k8 R2 Domain: Permission problem

  • Monday, August 17, 2009 10:29 AM
     
     
    Sign In to Vote
    0
    I've the following scenario, 1 DC and 1 domain joined memberserver, same subnet, all 2008 R2. Forest functional level is 2008 R2.
    If i work with the builtin Administrator everything works perfect. I've created a new user (copy of builtin Administrator), named it ADM, with this account I've problems on accessing files and directories which have only permissions for System & Administrators. I've added the ADM account explicit to the local Administrators group of the memberserver, same behavior. Ok, since I'm in the testing phase I've walked to another chapter and left the filepermissions away.

    Next I've tried to create a Managed Service Account in Powershell. For this I've used the ADM Account. Even if the Powershell is started as Administrator I've got the following errormessage during creation: New-ADServiceAccount : Access is denied. If I use the builtIn Administrator (the source of my copied ADM account) everything works like a charme.

    Ok, possible there is a problem with my installation, setup another DC and tried only the New-ADServiceAccount thing. Same results. With the Built-In Administrator -> OK with another Account (with Domain Admins, Enterpsie Admins, ... permissions) I still get an Access denied.

    Whats wrong with my setup?

    Thanks for your reply ...

    Daniel
       

    All Replies

    • Monday, August 17, 2009 8:31 PM
       
       Answered
      Sign In to Vote
      0

      Problem is solved, there where two things.

      1. Filepermissions:             Disable UAC, ok it's more a workarround than a real solution ...

      2. New-ADServiceAccount:  The password for the user who perform the tasks has to be different from the Administrators password.

         
      • Tuesday, August 18, 2009 2:29 AM
        Moderator
         
         
        Sign In to Vote
        0

        Hi Daniel,

         

        Thank you for posting here.

         

        The file permission issue may be caused by the UAC Admin Approval Mode. You can try to disable it. For detailed information, please refer to the following article.

         

        Administrators in Admin Approval Mode

        http://technet.microsoft.com/en-us/library/cc507861.aspx

         

        Regarding the New-ADServiceAccount error, I tried to create an administrator account whose password is the same with built-in administrator and I didn’t get the Access is Denied error. This may be caused by other factors. If you would like to, create another admin account to test.

         

        Thanks.

        Mervyn

        TechNet Subscriber Support in forum

        If you have any feedback on our support, please contact tngfb@microsoft.com  

        This posting is provided "AS IS" with no warranties, and confers no rights.