Sunday, April 08, 2012 3:49 PM
Hi all. First let me say I am a complete newbie, and I'm sure I have shot myself in the foot on this one.
Background: I have a single 2008 R2 server that I recently added the fax server role to. I got the role to work, but for some reason could not get the printer added to the active directory. I did some searching around, thought that I had a permissions problem & followed the instructions. Now I realize that I can't administer the AD or Exchange Sever with the 'administrator' account. The good news is that I was smart enough to create 2 administrator backup accounts, and those 2 accounts are still working A-OK (I have full admin rights with them).
When I say I can 'administer' the active directory, that means I can log into the AD Administrative Center, but I can't make any changes - With the exception of the computer listed in the 'Domain Controllers' group, nothing else shows in the lists (Users/OUs/etc...). For the Exchange Management Console, I can see the users listed, but I can no longer edit them (nor create new mailboxes/etc.).
Obviously I've added 'Administrator' or the computer name to some group I shouldn't have, or made a security change SOMEWHERE to 'Administrator' or to the computer that killed me. The problem is that I made so many changes trying to get AD to list my fax printer that I can't remember what they all were. I can say that 99% of the changes I did make were either via ADAC or the Fax Printer 'printer properties'.
I can imagine that this is going to be a multiple stage process to figure out what I did. Can someone direct me to the first thing I'll need to collect?
- Edited by Steven Stucker Sunday, April 08, 2012 3:51 PM
Sunday, April 08, 2012 4:44 PM
if i understand you correct, you do NOT use the Administrator account to work, instead work with a member of the domain admins security group?
Why are you not able to use the Administrator to logon to the DC, which error is shown when trying to logon?
Are you aware that members of the domain/enterprise/administrators security group still have to use RUNAS elevations to run specific tasks because UAC prevent them by default.
Exchange requires always that accounts are added to the specific Exchange administrative groups or inside Exchange if Exchange 2003 is used, which btw. requires Exchange 2003 SP2 to be installed to work correct with Windows server 2008 R2.
By default the Administrator on the DC is member of the following security groups: Administrators, Domain admins, domain users, Enterprise admins, Group policy creator owners and Schema admins.
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Sunday, April 08, 2012 7:37 PM
First of all, if you have an access denied error or similar issues when using administrative tools then try running them is an elevated prompt and check results (which means that you have to use run as ... option).
If this does not help then maybe you have a problem with permissions. In this case, check the security tab on your OUs (...) and see which permissions you have. Maybe you changed mistakenly these permissions.
Note that the delegation of administration in AD can be done using the delegation Wizard: http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
For Exchange, see that: http://technet.microsoft.com/en-us/library/aa998374%28v=exchg.65%29.aspx
Note that you can use RBAC for the delegation of the administration in Exchange 2010: http://technet.microsoft.com/en-us/library/dd298183.aspx
More if you ask them here:
Monday, April 09, 2012 1:16 AM
Thanks for the quick replies!
I was in the process of gathering the answers and attempting to give some more information when I noticed I once again had admin rights in AD. Everything showed back up, I was able to create a new test user/etc.
Now I only seem to have a problem with my permissions for Exchange, which I assume is going to be another forum.
Thanks for the help!
- Marked As Answer by Steven Stucker Monday, April 09, 2012 1:16 AM
Monday, April 09, 2012 12:07 PMModerator
Sounds to me like you removed permissions and the process to protect users from themselves stepped in and corrected things via AdminsSDHolder.
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.