none
Windows Server 2019 - Domain Admin getting access denied RRS feed

  • Question

  • We have a new Server 2019 STD that joined to a existing 2008 R2 STD server that is being migrated to.

    We are having a wierd issue where the domain admin user doesn't have permission to do anything such as edit NETLOGON .bat files, getting "access denied". Domain admin is fine on the 2008 server but on the 2019, get the same error.

    Some research shows it being caused by UAC but even if I turn off UAC, getting same error.

    If i add the two GPO policies:

    Look for User Account Control: Admin Approval Mode for the Built-In Administrator Account - SET TO DISABLED
    Look for User Account Control: Run all administrators in Admin Approval Mode - SET TO DISABLED

    It allows me to edit these files.

    However I believe this is also causing some installers not to install problem as I noticed the domain admin is now in a elevated state (if I open CMD, it shows C:\Windows\System rather then C:\Users\Administrator for the folder)

    Does anyone know how to resolve this issue with the UAC correctly? As mention the admin user on the 2008 server is fine.

    Thursday, November 21, 2019 1:10 AM

All replies

  • I'd check that windows is patched to latest build or if problem persists possibly try some different installation media.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, November 21, 2019 3:20 PM
    Owner
  • Hi,

    Did you check if the same GPOs are being applied to both the servers. It could be that the old server is getting/having different configuration as compared to the new server.

    Thanks

    Thursday, November 21, 2019 3:36 PM
  • Can't really try a different installation media as server already joined and setup as a DC.
    Thursday, November 21, 2019 8:10 PM
  • The GPOs seem to be applied to both servers. I don't see any GPO entries that might cause this problem.
    Thursday, November 21, 2019 8:11 PM
  • Can't really try a different installation media as server already joined and setup as a DC.

    Should not be a problem, you should be able to have a new one stood up in about an hour.

    You can use dcdiag / repadmin tools to verify health correcting all errors found before starting. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Thursday, November 21, 2019 8:26 PM
    Owner
  • I had someone (another IT consultant) look at the replication and their no issues with dcdiag after running it. I can't redo this server as this server already running two other major software on it without a issue and setting up a new one might cause issues.

    Could a group policy of some kind cause this? Wondering if I should turn to a microsoft support to look at it at this point?

    The other person said to try demoting and promoting the server again to a DC.


    • Edited by MasterNe0 Sunday, December 1, 2019 11:50 PM
    Sunday, December 1, 2019 11:49 PM
  • The other person said to try demoting and promoting the server again to a DC.


    You can try that, also a better option is to stand up other virtual machines for the various applications. Much less complication when a problem arises as you have just come to find out.

    Yes, you can also start a case here with product support.

    https://support.microsoft.com/en-us/hub/4343728/support-for-business

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Sunday, December 1, 2019 11:53 PM
    Owner
  • The other person said to try demoting and promoting the server again to a DC.


    You can try that, also a better option is to stand up other virtual machines for the various applications. Much less complication when a problem arises as you have just come to find out.

    Yes, you can also start a case here with product support.

    https://support.microsoft.com/en-us/hub/4343728/support-for-business

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Wish I could setup a VM or some backup option but their only 1 new physical server at this location for a small client. Server already setup as a physical windows server that the problematic one at the moment.

    • Edited by MasterNe0 Monday, December 2, 2019 12:11 AM
    Monday, December 2, 2019 12:10 AM
  • The better option is to install windows on host, patch fully, add Hyper-V role as only role on host. Stand up two virtual machines. One for active directory domain services, other as application server. A Standard edition license allows for this configuration.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, December 2, 2019 12:14 AM
    Owner