"Administrator" Domain Admin account is loggen in on temporary profile.

Similar Messages

• Software always installs to Domain Admin account on connected PC-cant install to Domain User account

  I have completed the following steps:
  Set up Windows Server 2012 R2 Essentials successfully
  Successfully connected a Windows 8.1 Pro PC to the network by running the Essentials Connector software
  The PC has the following users: Original local account created when I installed Windows 8, Domain Admin account created when I ran the Essentials Connector account, Domain User created after PC was connected to the network.
  Everything seems to be working fine. I have installed MS Office 365 Pro, Skype, various other applications while logged in as the Domain User. Every one of these installs triggered a UAC prompt, which was expected, and after entering the Domain Admin
  credentials the install proceeded successfully. After install, the software was available to the Domain User, shortcuts appeared in the Start Menu or Desktop, appropriate directories were created in the Documents folder.
  All except for 3 applications - upon being prompted for permission to install, I enter the Domain Admin credentials, installation proceeds, but the software is installed to the Domain Admin account-not the Domain User account. Shortcuts appear on the Domain
  Admin desktop-Not the Domain User account, etc. I've tried:
  Downloading a new copy of the software to the Domain User desktop & running it from there
  Right-click file, Install as Admin
  click file, Install as a different user
  Right clicking file, Properties>Compatibility & changing compatibility settings
  Right clicking file, Properties>Compatibility>Run as Administrator
  None of these options have changed the result, the software is still installed to the Domian Admin account as opposed to the Domain User account. Any idea why these 3 software wont install correctly but everything else has? Any suggestions as to how to install
  the software to the profile that doesn't involve making the Domain User an Administrator? Thanks for any help!

  Hi voltron5,
  Many programs may provide options: "install for everyone" or "just for current user", when you install them.
  Please check if there are such options during the installation process.
  If those three programs are all third-party applications. I suggest you should contact with the corresponding
  support and confirm this.
  If those three programs are Microsoft applications, would you please let me know specific information of those
  three applications? Such as their names and so on. Meanwhile, when complete the installation, please check the software path was added in administrator environment variables or system environment variables.
  Hope this helps.
  Best regards,
  Justin Gu

• Group Policy changes cause Access Denied error for Domain Admin account

  Hi All,
  I am battling to get WSUS to work, and I think the route cause is problems editing the domain and domain controller group policy objects.
  We have 1 DC, approx 20 clients. 1 GPO for DC, 1 GPO for clients. Ther e is a link to the default domain GPO in our staff (users) OU, I don't know if it should be there or not.
  I log in as domain administrator, right-click the domain GPO in GPMC, click Edit.
  Find the setting I want to edit (specify intranet microsoft update service location), double click.
  Change something, click OK.
  I get error:
  Unhandled exception has occurred in a component in your application. If you click Continue, the application will ignore this error and attempt to continute.
  Access is denied. (Exception from HRESULT: 0x80070005
  (E_ACCESSDENIED)).
  I have followed the steps in the links posted by Brent in another post called: "restricting-domain-admin-account-to-edit-group-policies" (no links allowed for my account yet sorry) and the user does have edit settings, delete, modify security delecation.
  PLEASE NOTE: the solution may very well be something very simple/basic. I am reasonably computer savvy, but have just upgraded the whole network for an NGO on a voluntary basis. Never seen a sever before I came here, but I'm the best they have. Please bare
  that in mind when offering advice :)
  Any help appreciated!
  James

  More diagnostic info:
  Inside GPMC, there's Group Policy Results.
  If I right-click, Result Wizard, choose this computer, it works fine showing default domain controllers policy with alert that it's enforced.
  If I browse for another PC (it comes up as Domain\PC name), click Next, I get error:
  Failed to connect to DOMAIN\PCNAME due to the error listed below. Ensure that the Windows Management Instrumentation (WMI) service is enabled on the target computer, and consult the event log of the target computer for further details.
  Details: the RPC server is unavailable.
  If you need the recent related events, I will post them. I also checked that service on the client - it's automatic and started.
  PPS Clients are all Win 7, PCs are 32bit, laptops are 64. Server is Windows Server 2012 Datacenter. WSUS when clicking Help -> About from the snap-in/GUI: 6.2.9200.16384.
  PPPS Directory browsing for the whole WSUS object in IIS is enabled, thanks to SorinAlbu over at Spiceworks post WSUS and IIS.
  PPPPS Launching IE and loading http://servername:8530/iuident.cab fails 404 error from both clients and server. That file in C:\Program Files\Update Services\WebServices\Root\iuident.cab doesn't exist. Maybe because we recently removed the WSUS role and reinstalled
  it, to check if something went wrong the first time? It's all been configured using the snapin/GUI, but the new installation of the role hasn't yet connected to the Microsoft Update servers.
  PPPPPS Added the Application Server role with default settings as recommended by the step by step guide to WSUS at Technet. Still no dice.

• SCOM - DOMAIN ADMIN account

  Hi All,
  Can somebody share the information , that if domain admin account is necessary to be a SCOM admin?
  Rgs,

  Hi,
  No Domain Administrator is not necessary to be SCOM Administrator.
  Please also check that link:
  http://blogs.technet.com/b/kevinholman/archive/2012/02/17/security-in-operations-manager-some-perspectives-and-typical-customer-scenarios.aspx
  Cheers
  Christoph Maresch | My blogs: blog.cmaresch.at | XING:
  Christoph Maresch
  | Linkedin:
  Christoph Maresch

• Nexus 1000v and vcenter domain admin account

  I changed out domain admin account on our domain in which vcenter services runs as and now its using a different services account. I am wondering if I need to update anything on the nexus 1000v switch side between the 1000v and venter

  Hi Dan,
  You are on the right track. However you can perform some of these function "online".
  First you want to ensure that you are running at a minimum, Nexus 1000v SV1(4a) as ESXi 5.0 only began support on this release. With SV1(4a), it provides support for both ESXi 5.0 and ESX/i 4.1.
  Then you can follow the procedure documented here:
  Upgrading from VMware Release 4.0/4.1 to VMware Release 5.0.0
  This document walks you through upgrading your ESX infrastructure to VMware Release 5.0.0 when Cisco Nexus 1000V is installed. It is required to be completed in the following order:
  1. Upgrade the VSMs and VEMs to Release 4.2(1)SV1(4a).
  2. Upgrade the VMware vCenter Server to VMware Release 5.0.0.
  3. Upgrade the VMware Update Manager to VMware Release 5.0.0.
  4. Upgrade your ESX hosts to VMware Release 5.0.0 with a custom ESXi image that includes the VEM bits.
  Upgrading the ESX/ESXi hosts consists of the following procedures:
  –Upgrading the vCenter Server
  –Upgrading the vCenter Update Manager
  –Augmenting the Customized ISO
  –Upgrading the ESXi Hosts
  There is also a 3 part video highlighting the procedure to perfrom the last two steps above (customized ISO and upgrading ESXi hosts)
  Video: Upgrading the VEM to VMware ESXi Release 5.0.0
  Hope that helps you with your upgrade.
  Thanks,
  Michael

• Domain admin accounts locks out constantly

  Hello.
  My boss has a domain admin account that keeps locking out, and we can't figure out why. We can tell from the domain controller logs that krbtgt is the *offending* service, and it is coming from a sql server that we have. In looking over the server, we can't
  find where any passwords might be stored that would be trying to pass this automatically. We've even manually removed any profile information for this account that we could find. If I reset the account, I can then log into the server with his account and everything
  is fine, but after logging out the account locks again.
  Does anybody have any ideas for how to fix this?
  If it helps, the EventID is 4771 and the Status that gets returned is 0x12

  I have something that can help you enabling netlogon logging on all DCs.
  1. Make a list of DCs and save it in a text file called dcs.txt (you can do that by running netdom query DC).
  2. Download psexec.exe from sysinternals
  3. Then run the following to enable logging:
  for /f %i in (dcs.txt) do psexec \\%i c:\windows\system32\nltest.exe /dbflag:0x2080ffff
  4. Take the log files all in your place:
  for /f %i in (dcs.txt) do copy /y \\%i\admin$\debug\netlogon.log .\%i.netlogon.log
  5. then search for wrong passwords:
  type *.netlogon.log |findstr /i 0xC000006A > badpasswords.txt
  6. Disable netlogon logging:
  for /f %i in (dcs.txt) do psexec \\%i c:\windows\system32\nltest.exe /dbflag:0x0

• Domain Admin Account

  Hi - we are implementing secure Domain Admin accounts. We have 4 domain controllers (one 2008 and 3 2012's) in our environment. I am trying to restrict the Domain Admin accounts so that they can only log onto the 4 DC's. I added the DC's to the "Log
  On To" tab in the account setup.
  I have no issues logging into the 2008 DC, however, I cannot log into the 2012 DC's. I get "The Local Security Authority cannot be contacted". We found an article that stated you have to also add the workstation you are logging in from to the "Log
  On To" options. Is that the only option to accomplish this? I don not want to have to add all possible combinations of workstations where one of the engineers could be logging in from.

  The role separation is part of how it should be done, but it sounds like you found that out the hard way.  But encouraging users to log on to interactive sessions on DCs is usually a really bad idea.  Ideally, nobody would ever see a DC's desktop. 
  You'd probably be better served by creating a management workstation or server, installing RSAT, preventing anyone but domain admins from logging on, and using that for management. 
  But most people just use "run as different user" to launch admin tools with admin credentials on their regular workstations.

• Domain Admin Account cannot logon to member servers by remote. It can only logon to Domain Controllers

  Our environment has both 2008R2 and 2012R2 Domain Controllers. Recently one of our Domain Admins started having problems logging onto all servers by remote desktop except for domain controllers. The error message is as follows:
  "To log on to this remote computer, you must be granted the Allow log on through Terminal
  Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote
  Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually"
  All the other Domain Admin Accounts do not have this problem. Suggested solutions recommend checking local policies on the individual servers however I feel that is not
  right. Also there many servers hence doing that in each member server would be cumbersome. There must be solution that requires a single action for all servers and also does not  involve creating a new account. The account was recently used to implement
  a Windows 2012R2 WSUS server and besides the DC's, it is the only other server the account can remote into. This is strange. Help please.

  Hi,
  Does that user has permission for remoting before?
  To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are: 
  1) Remote Logon: rights to machine
  2) Logon: privileges for access to the RDP-TCP Listener
  The Remote Logon is governed by the “Allow Logon through Terminal Services” group policy. This is under
  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
  Also check RDP-TCP listener properties. More information.
  “Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.
  http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• NIC Disabled, No Cached Domain Admin Account

  We've had this happen to a couple computers now. We have a school computer lab where the kids log in with standard (non-administrator) domain accounts. Somehow, the Ethernet adapter gets disabled, and we can't reenable it on the computer because
  the local administrator is disabled and the domain administrators get the "no login server" error. The student login still works, but none of the administrator accounts or even lab teacher logins work. The administrator accounts have indeed been
  used on the computer before, but not cached for this exact situation.
  Kind of a catch 22. Need to use admin account to enable network access, need network access to authenticate admin on domain server.
  So, what do we do?

  Thanks for the reply.
  We have a similar boot disk solution, but we were hoping for another solution, since it is a little labor intensive, especially if this keeps happening. We were thinking of taking the proactive measure of enabling the local admin account on all the computers
  in the lab, but I'm not sure why these problems are coming up in the first place. First, we have no idea how the adapters keep getting disabled when only non-admin student accounts are the only ones logging in. Second, why can't we log in with any of the domain
  admin logins on the disconnected computers, yet we can login with the student accounts?

• Domain Admin account mapping

  When I do a
  "sudo net groupmap list" command I get the following mapping.
  Domain Admins -> com.apple.monitorallservices
  Would would domain Admin be mapped to this group instead of domainadmins?
  The reason I ask is, by not having Domain Admin pointing to a domainadmins, the Domain Administrators are not automatically added to each client system's Administrative group.
  Doesn't make sense.

  The role separation is part of how it should be done, but it sounds like you found that out the hard way.  But encouraging users to log on to interactive sessions on DCs is usually a really bad idea.  Ideally, nobody would ever see a DC's desktop. 
  You'd probably be better served by creating a management workstation or server, installing RSAT, preventing anyone but domain admins from logging on, and using that for management. 
  But most people just use "run as different user" to launch admin tools with admin credentials on their regular workstations.

• Quota entry even shows for domain admin account when logged on to server

  Just set up quotas on a drive on a Server 2012 machine, and after setting a default quota for new users, it now only shows the drive on the server to be 2GB (which is what the default quota for new users is set to), rather than the 500GB the drive really
  is, even though I'm logged on to the machine as a domain admin and there is not a quota entry listed for that account when i look at the quota details.
  How can I fix that so I can see the actual space of the drive again?

  Hi,
  Disk quotas are transparent to the user. When a user asks how much space is free on a disk, the system reports only the user's available quota allowance.
  You could check the quota through right-click the volume for which you want to modify quota values, and then click
  Properties. In the Properties dialog box, click the
  Quota tab.
  On the Quota tab, click Quota Entries.
  http://technet.microsoft.com/en-us/library/dd758768(v=ws.10).aspx#BKMK_FSRMvsNTFS
  Regards.
  Vivian Wang

• Can't login in to OS X 10.6.7 without domain admin account

  Have just bought a mac mini to test in a Windows server environment.
  I successfully bound to the Acitve Directory server and was able to login as my default user account;
  I moved on and did a software update which moved me from 10.6.4 to 10.6.7 and since this I have not been able to logon using that or any normal user accounts.
  I can successfully login as the administrator (default account created during install) and surprisingly can login as any  Domain Administrator account, something I don't want to be doing. I tested with other normal users with the same issue and can sucessfully install with any Domain Administrator account.
  I have seen a few things that are similar but none of the fixes seem to work...
  This doesn't bode well for Macs in the workplease :S

  I would recommend preparing your system first and then update by following these instructions:
  1. Backup first using Time Machine!
  2. Disconnect all peripherals except the keyboard and mouse.
  4. Download the Combo Update from Apple Downloads.
  5. Boot computer in Safe Mode. Note: Safe Boot loads a stripped down system which may reduce any chance of incompatibility while the update is running. Keep all Applications closed.
  6. Repair Permissions from Disk Utility while booted in Safe Mode.
  7. Install the update from Safe Mode.
  8. Restart as you normally would if prompted.

• ADFS2012R2 Install: Why does this need Active Directory Domain Admin Account as one of the pre requisites for installating AD FS server

  Team,
  We were trying to configure AD FS through ADFS Wizard on Windows 2012 R2 box as part of ADFS upgrade from ADFS 2.0 to ADFS 3.0. But the installation got stuck in between as the domain account which we were using does not have admin privileges on the AD side. 
  We have to raise to AD team to elevate the rights of the service accountb we are using.
  Can any one please tell me why having an admin AD account is pre requisite for the AD FS configuration, what are the "Write" changes which occur at Active Directory side post ADFS installtion, we need this details to supply to AD team for the justification
  purpose.
  Would appreciate any detailed response on this query
  thanks
  Lav

  Hi,
  dont know all exact objects ADFS is trying to create in AD, but it needs to create some container and objects under cn=Programm Data,DC=domain,dc=com for sharing certificates.
  We had troube with this because the container does'nt exists.
  Regards
  Peter
  Peter Stapf - ExpertCircle GmbH - My blog:
  JustIDM.wordpress.com

• User Accounts in Domain Admins group do not have full administrative rights to the server

  Our server was fine until recently one day we lost admin access for admin user accounts. If we log in to the server with the Domain Admin account, this account has full admin access to the server and can install and launch all programs and even all server
  admin tools. If we log into the server with a user account which is in the Domain Admins group, that account cannot install software or launch Services.MSC. Even IE will not load any page and crash with a "Not Responding" Error.
  The server has no viruses we even ran SFC /SCANNOW and it did repair from corrupted files but that didn't fix the issue.
  Any ideas?

  Hi Rick,
  May be UAC is blocking installtion. Have it disabled and see if it helps.  Ensure you have domain admin groups added into local administrators group.
  Alos Check these links please.
  https://social.technet.microsoft.com/Forums/en-US/b5300f28-6a2a-4760-8b80-97a2da0f87c1/2012-domain-admin-user-cannot-install-programs-on-a-domain-windows-7-pc?forum=winserverDS
  https://social.technet.microsoft.com/Forums/en-US/0ca040de-52ac-4259-bf78-c22436fd04d4/domain-users-with-domain-admins-right-cannot-install-programs-or-open-server-manager?forum=winserverDS
  Thanks,
  Umesh.S.K

• Premiere and Photoshop CC Crashes at launch on a Domain Non-Domain Admin Computer

  On Windows 7 Domain computer lab as a non domain admin but local admin, program launches and then closes with the error codes below. As domain admin account, it works fine. This is a K12 education institution, so giving student's domain admin status is unacceptable. Please advise, any help is greatly appreciated.
  FYI, things i have tried:
  Integrated graphics cards, I have uninstalled and re-installed drivers. No luck. I have also made the pslog.txt file and given appropriate permissions to all users.
  Error Codes:
  Windows Error Code - Application error
  Faulting application name: Adobe Premiere Pro.exe, version: 8.0.1.21, time stamp: 0x53c7b17f
  Faulting module name: dvaui.dll, version: 8.0.1.21, time stamp: 0x53c76970
  Exception code: 0xc0000005
  Fault offset: 0x00000000002f4e39
  Faulting process id: 0xf28
  Faulting application start time: 0x01d01a2c32635355
  Faulting application path: C:\Program Files\Adobe\Adobe Premiere Pro CC 2014\Adobe Premiere Pro.exe
  Faulting module path: C:\Program Files\Adobe\Adobe Premiere Pro CC 2014\dvaui.dll
  Report Id: 924f6336-861f-11e4-821e-0024811149b1
  Fault bucket 45383478, type 20
  Event Name: APPCRASH
  Response: Not available
  Cab Id: 0
  Windows Information - Windows Error
  Problem signature:
  P1: Adobe Premiere Pro.exe
  P2: 8.0.1.21
  P3: 53c7b17f
  P4: dvaui.dll
  P5: 8.0.1.21
  P6: 53c76970
  P7: c0000005
  P8: 00000000002f4e39
  P9:
  P10:
  Attached files:
  C:\Users\esdstudent\AppData\Local\Temp\WER9443.tmp.WERInternalMetadata.xml
  These files may be available here:
  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Adobe Premiere P_ad637fa2c8bd70d3e74771b4be53569c25a980_00c3bab6
  Analysis symbol:
  Rechecking for solution: 0
  Report Id: 924f6336-861f-11e4-821e-0024811149b1
  Report Status: 0

  I think you have answered your own question... you must have BOTH types of user accounts set to Administrator
  This is an open forum with a mix of program users and Adobe staff, not Adobe support... you need Adobe support
  Adobe contact information - http://helpx.adobe.com/contact.html may help
  -Select your product and what you need help with
  -Click on the blue box "Still need help? Contact us"