none
2008 R2 - 'Administrator' lost administrative privileges for AD (and Exchange)

    Question

  • Hi all. First let me say I am a complete newbie, and I'm sure I have shot myself in the foot on this one.

    Background: I have a single 2008 R2 server that I recently added the fax server role to. I got the role to work, but for some reason could not get the printer added to the active directory. I did some searching around, thought that I had a permissions problem & followed the instructions. Now I realize that I can't administer the AD or Exchange Sever with the 'administrator' account. The good news is that I was smart enough to create 2 administrator backup accounts, and those 2 accounts are still working A-OK (I have full admin rights with them).

    When I say I can 'administer' the active directory, that means I can log into the AD Administrative Center, but I can't make any changes - With the exception of the computer listed in the 'Domain Controllers' group, nothing else shows in the lists (Users/OUs/etc...). For the Exchange Management Console, I can see the users listed, but I can no longer edit them (nor create new mailboxes/etc.).

    Obviously I've added 'Administrator' or the computer name to some group I shouldn't have, or made a security change SOMEWHERE to 'Administrator' or to the computer that killed me. The problem is that I made so many changes trying to get AD to list my fax printer that I can't remember what they all were. I can say that 99% of the changes I did make were either via ADAC or the Fax Printer 'printer properties'.

    I can imagine that this is going to be a multiple stage process to figure out what I did. Can someone direct me to the first thing I'll need to collect?

    Thanks!!!!


    Sunday, April 08, 2012 3:49 PM

Answers

  • Thanks for the quick replies! 

    I was in the process of gathering the answers and attempting to give some more information when I noticed I once again had admin rights in AD.  Everything showed back up, I was able to create a new test user/etc.

    Now I only seem to have a problem with my permissions for Exchange, which I assume is going to be another forum.

    Thanks for the help!

    Monday, April 09, 2012 1:16 AM

All replies

  • Hello,

    if i understand you correct, you do NOT use the Administrator account to work, instead work with a member of the domain admins security group?

    Why are you not able to use the Administrator to logon to the DC, which error is shown when trying to logon?

    Are you aware that members of the domain/enterprise/administrators security group still have to use RUNAS elevations to run specific tasks because UAC prevent them by default.

    Exchange requires always that accounts are added to the specific Exchange administrative groups or inside Exchange if Exchange 2003 is used, which btw. requires Exchange 2003 SP2 to be installed to work correct with Windows server 2008 R2.

    By default the Administrator on the DC is member of the following security groups: Administrators, Domain admins, domain users, Enterprise admins, Group policy creator owners and Schema admins.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, April 08, 2012 4:44 PM
  • Hello,

    First of all, if you have an access denied error or similar issues when using administrative tools then try running them is an elevated prompt and check results (which means that you have to use run as ... option).

    If this does not help then maybe you have a problem with permissions. In this case, check the security tab on your OUs (...) and see which permissions you have. Maybe you changed mistakenly these permissions.

    Note that the delegation of administration in AD can be done using the delegation Wizard: http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html

    For Exchange, see that: http://technet.microsoft.com/en-us/library/aa998374%28v=exchg.65%29.aspx

    http://support.microsoft.com/kb/823018

    http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html

    Note that you can use RBAC for the delegation of the administration in Exchange 2010: http://technet.microsoft.com/en-us/library/dd298183.aspx

    More if you ask them here:

    http://social.technet.microsoft.com/Forums/en-US/category/exchangeserver

    http://social.technet.microsoft.com/Forums/en-US/category/exchange2010


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Sunday, April 08, 2012 7:37 PM
  • Thanks for the quick replies! 

    I was in the process of gathering the answers and attempting to give some more information when I noticed I once again had admin rights in AD.  Everything showed back up, I was able to create a new test user/etc.

    Now I only seem to have a problem with my permissions for Exchange, which I assume is going to be another forum.

    Thanks for the help!

    Monday, April 09, 2012 1:16 AM
  • Sounds to me like you removed permissions and the process to protect users from themselves stepped in and corrected things via AdminsSDHolder.
    http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, April 09, 2012 12:07 PM
    Moderator