none
Getting "Access is denied" when running DSADD

    Question

  • I have Windows Server 2003 Beta 3 Build 6001 installed on a Dell PowerEdge 2800. 

     

    When logged in as the domain administrator, I run the following DSADD command, and it works perfectly:

     

    dsadd user "CN=Josie Straka,CN=Users,DC=labdomain,DC=local" -fn Josie -ln Straka -samid "strakajo" -display "Josie Straka" -pwd P@ssw0rd1 -pwdneverexpires yes -canchpwd no

     

    When I log in as another domain admin user, other than Administrator, I get an error:

     

    dsadd failed: CN=....: Access is denied.

     

    The user is a member of the Domain Admins AD group, and is also a member of Enterprise Admins and Group Policy Creator Owners, which I added later in troubleshooting this problem.  None of this has helped.

     

    I created the user I am logged in as now from the GUI.

     

    Is there something I'm missing?

     

     

     

    Wednesday, July 25, 2007 11:27 PM

Answers

  • this issue here is UAC!

     

    as the default administrator UAC is not invoked. as another administrator, and it does not matter of what groups he/she is a member of, UAC is invoked. Because of that the other admin receives and access denied. when executing such a tool either disable UAC fully or implement an additional elevation script that invokes the UAC question "do you want to continue....blabla"

     

    the additional elevation script can be found here:

    http://blogs.dirteam.com/blogs/jorge/archive/2007/07/19/user-account-control-from-the-command-line.aspx

     

    remember this is a temp solution for you or a workaround. MS should fix this and I will report it to MS.

    the DS tool should behave like the NTDSUTIL tool when executed by another admin. Try it to see what I mean!

     

    Regards,

    Jorge

     

    PS.: I almost forgot! You can also right-click on the command prompt icon and select "run as an administrator" and in that command prompt window execute the DSADD command. The script I mention above is very interesting if you can want to invoke elevation of privileges when a custom made script is used from the command or in other words "is not UAC aware"

    Tuesday, July 31, 2007 7:26 PM
    Moderator
  •  

    I agree on what it is for. However, just throwing in an "access denied" without any other info is kinda difficult for people to understand what's going on and especially WHY?

    As the OP mentioned: "he forgot"... A lot of people will need to get customed to things like these. If it is Vista or W2K8, maybe elevation is not kicking in for the app you are using or you do not have the correct permissions.... if an OS is used like w2k/w2k3/wxp the access denied really means access denied

     

    as I describe here:

    http://blogs.dirteam.com/blogs/jorge/archive/2007/08/01/access-denied-does-not-seem-to-be-what-it-really-means.aspx

    http://blogs.dirteam.com/blogs/jorge/archive/2007/07/19/user-account-control-from-the-command-line.aspx

    Monday, August 20, 2007 2:31 PM
    Moderator

All replies

  • What happens when logged on as that user, if you try and add a user through AD Users and Computers?

     

     

    Cheers

     

    MK

    blogs.technet.com/mkleef

     

    Sunday, July 29, 2007 4:10 AM
  • It works perfectly fine. 

     

    To confirm that it was OS related (insofar as that it seemed to fail on Win2K8), I wiped my testbed and added Win2K3, and it worked fine.

     

    Before I wiped it, I copied the Administrator user using AD Users and Computers, then logged in as that user, and got the same failures.

     

    I wonder now if it was just a bug with Win2K8 Beta 3 -- actually, this version was called Longhorn.

     

    Thanks!

     

     

    Monday, July 30, 2007 3:43 AM
  • this issue here is UAC!

     

    as the default administrator UAC is not invoked. as another administrator, and it does not matter of what groups he/she is a member of, UAC is invoked. Because of that the other admin receives and access denied. when executing such a tool either disable UAC fully or implement an additional elevation script that invokes the UAC question "do you want to continue....blabla"

     

    the additional elevation script can be found here:

    http://blogs.dirteam.com/blogs/jorge/archive/2007/07/19/user-account-control-from-the-command-line.aspx

     

    remember this is a temp solution for you or a workaround. MS should fix this and I will report it to MS.

    the DS tool should behave like the NTDSUTIL tool when executed by another admin. Try it to see what I mean!

     

    Regards,

    Jorge

     

    PS.: I almost forgot! You can also right-click on the command prompt icon and select "run as an administrator" and in that command prompt window execute the DSADD command. The script I mention above is very interesting if you can want to invoke elevation of privileges when a custom made script is used from the command or in other words "is not UAC aware"

    Tuesday, July 31, 2007 7:26 PM
    Moderator
  • I did forget that the security of Win2K8 is based on the WinVista model.  I'm glad you're reporting it.  It does seem like common sense that a user that is a member of the Domain Admin group would naturally have priviledges to run scripts at the command level. 

     

    I'm all for security, but at the risk of simple everyday scripts not working? 

     

    Thanks again. 

     

    Richard

     

     

    Tuesday, July 31, 2007 10:29 PM
  • "Everyday" scripts can risk the integrity of the OS just like an interactive user can. Thats what UAC is for....to protect system integrity.

     

    Monday, August 20, 2007 9:25 AM
  •  

    I agree on what it is for. However, just throwing in an "access denied" without any other info is kinda difficult for people to understand what's going on and especially WHY?

    As the OP mentioned: "he forgot"... A lot of people will need to get customed to things like these. If it is Vista or W2K8, maybe elevation is not kicking in for the app you are using or you do not have the correct permissions.... if an OS is used like w2k/w2k3/wxp the access denied really means access denied

     

    as I describe here:

    http://blogs.dirteam.com/blogs/jorge/archive/2007/08/01/access-denied-does-not-seem-to-be-what-it-really-means.aspx

    http://blogs.dirteam.com/blogs/jorge/archive/2007/07/19/user-account-control-from-the-command-line.aspx

    Monday, August 20, 2007 2:31 PM
    Moderator