locked
Domain admin inconsistent admin permissions? - not true local admin? RRS feed

  • Question

  • We just converted our first 50 (of 250) PCs from Win7 to WinX. I am having issues with lack of some permissions as domain admin servicing clients. I normally log in client PCs as domain admin for all service work and never had any issues on Win7 clients.

    I can add printers and install new applications.

    I can not check the properties of a previously installed printer.

    I can not perform some tasks that a local end user can perform.

    I get errors about can not execute c:\windows\system32\somefile.*

    I am logged in as system admin. In this domain the server is Server 2007 Standard SP2.

    Thanks for your help.

    KA

    Friday, March 23, 2018 2:43 PM

Answers

  • I just tried the admin account as seen in my image of domain admins. It seems admin is a true domain admin on winX client PCs. It seems moam is not a true domain admin. Problem solved. But, the mystery continues as to why one domain admin has privileges but not all. Why is AD inconsistent concerning only winX and not win7?

    More importantly what was the design goal for this change in winX? While having a solution is good. I prefer to learn why they changed the definition of domain admin in winX?

     
    • Marked as answer by Swain IT Tuesday, April 3, 2018 3:14 PM
    Tuesday, April 3, 2018 3:14 PM

All replies

  • Hi,

    I found an article may give you some ideas, please refer to the link:

    Automatically diagnose and repair Windows file and folder problems

    https://support.microsoft.com/en-us/help/17590/automatically-diagnose-and-repair-windows-file-and-folder-problems

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 26, 2018 3:16 AM
  • This seems to be a permissions issue. I can duplicate it on two domains, so I doubt this is a server version issue. The domain admin must be able to perform basic configuration tasks on all client PCs on the domain.

    Tuesday, March 27, 2018 12:42 PM
  • I get a similar error when attempting to add the "This PC" and "User" desktop icons. When logged in as a user, I am able to perform such basic tasks. Why do the users have more permissions than the domain admin on Windows Ten PCs?

    Tuesday, March 27, 2018 12:46 PM
  • It seems this has been asked before, about two years ago. It seems no one has an answer after two long years. Wow!

    Old thread unanswered


    • Edited by Swain IT Tuesday, March 27, 2018 7:44 PM
    Tuesday, March 27, 2018 7:33 PM
  • Tao,

    Thanks for your time and efforts. I tried your utility and saved a copy for other issues. It is always great to have new tools.

    But, this is a permissions issue. It did not help.

    KA

    Tuesday, March 27, 2018 8:08 PM
  • Is there typos in this thread? 'Server 2007 Standard SP2', do you mean Server 2008 SP2? (OP)

    The two links are duplicates (Replies). The issue in that thread is the Domain Admins group is missing from a DC. The OP rebuild them and solved the issue. So does the Domain Admins appear the admins group on these PC's?

    Tuesday, March 27, 2018 10:38 PM
  • Yes, a typo but same issue on a much newer domain, 2016 servers. moam is my domain admin for this domain. see image

    Wednesday, March 28, 2018 4:19 PM
  • Here is the corrected link to this two year old unanswered question.

    Still unanswered - same issue

    I did find a registry hack to enable local admin within the security group policy. After making the change and rebooting some clients, I am still unable to perform most admin tasks as the domain admin, as I have done for years previously. I also tried deleting clients from the domain and adding them back but that did not help.

    I should also ask, why was this done on WinX? How are other domain admins performing basic configuration changes to clients? What motivated MS to make such a drastic change? Is this in defense of crypto-lockers?

    Thanks in advance.

    KA

    Wednesday, March 28, 2018 4:30 PM
  • That Still unanswered thread is a different issue about using the domain Administrator. I get the same error as your first screenshot if I use the domain administrator account trying to print a test page. As the answer on the Still unanswered says 'it appears to frown upon logging in with the domain administrator account'. If I log in with a user in the Domain Admins group it works fine.

    • Proposed as answer by Tony_Tao Tuesday, April 3, 2018 2:07 AM
    Wednesday, March 28, 2018 8:25 PM
  • Hi,
     
    Am 23.03.2018 um 15:43 schrieb Swain IT:
    > We just converted our first 50 (of 250) PCs from Win7 to WinX. I am
    > having issues with lack of some permissions as domain admin servicing
    > clients.
     
    What ever it is: You broke it, it´s a problem of /your" environment.
    This is not the expected behavior.
     
    What do you mean by "converted"? Clean NEW install or update?
    Is your account member of the local administrators group?
    Did you test it againt a clean system without any group policy (depsite
    of (password/kerberos/account)
    You know there is UAC now?
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    Thursday, March 29, 2018 6:59 AM
  • The server is 2008 not 2007. Converted via the media creation tool run via the desktop.
     I can't even add printers, a correction to the original thread.
    • Edited by Swain IT Monday, April 2, 2018 6:00 PM
    Monday, April 2, 2018 5:34 PM
  • This problem did not exist for Win7. I checked my AD domain administrator membership, which indicates that moam is a member but moam is unable to perform basic PC configuration. i.e. users have higher privileges than moam, a domain administer.

    It seems MS redefined long established AD roles. Prior to WinX, the domain administrator was in god mode by default. OK, fine, WHATEVER! But, what account is the "administrator of the domain" supposed to use when logging onto client PCs for the purpose of configuring the client PC?

    It seems ludicrous that the domain administrator can not install printers or print test pages.

    To me, the only logical reason for breaking such long standing roles seems to be an effort at stopping crypto-lockers from total destruction. Again, fine, whatever. But, please inform us what is the new best practices?

    How do we do our jobs more efficiently in this new security paradigm? It still seems odd that "domain administrator" means one thing in Win7 but something different in WinX. I fail to see the strategy.

    KA

    Monday, April 2, 2018 5:50 PM
  • Heitbrink, I updated the treads. I hope it is clear to you now. I broke nothing, W7 PCs continue to work normally. Many others have posted similar threads, all unanswered after two years. This new flaw is true on two different domains, Server 2007 and Server 2016 ADs.

    Just to be very clear:

    What account is the domain administrator supposed to use for logging onto client pcs for the purpose of routine maintenance, updates, and installs? Will this account work for both W7/WX? Or, do I need one domain admin for W7 and a different one for WX? That seems quite silly to even ask. But, thanks.

    KA

    Monday, April 2, 2018 5:58 PM
  • Monday, April 2, 2018 9:04 PM
  • We already had moam (master of all machines) added to the domain admin group such that we can use moam to configure Win7. Why did WinX break established roles? How to fix this?
    Monday, April 2, 2018 9:06 PM
  • This is not the answer. See the image showing moam as a member of domain admins! Using moam works on win7 but NOT on winX.
    Tuesday, April 3, 2018 12:16 PM
  • I just tried the admin account as seen in my image of domain admins. It seems admin is a true domain admin on winX client PCs. It seems moam is not a true domain admin. Problem solved. But, the mystery continues as to why one domain admin has privileges but not all. Why is AD inconsistent concerning only winX and not win7?

    More importantly what was the design goal for this change in winX? While having a solution is good. I prefer to learn why they changed the definition of domain admin in winX?

     
    • Marked as answer by Swain IT Tuesday, April 3, 2018 3:14 PM
    Tuesday, April 3, 2018 3:14 PM